Adjusting time formats and name resolution

The Time Display Format and Name Resolution menu choices both have several options within the submenus. We'll start with the Time Display Format, which provides several ways to view the time values in Wireshark.

Once you expand the Time Display Format menu choice, you will see several options with how you want your time displayed, which include the following:

  • Date and Time of Day
  • Year, Day of Year, and Time of Day
  • Time of Day
  • Seconds Since 1970-01-01

When doing an analysis, you will most likely use a format that helps you to visualize gaps in transmission. In that case, the following are used:

  • Seconds Since Beginning of Capture: This will show you how many seconds have passed since the capture was started.
  • Seconds Since Previously Captured Packet: This will show how many seconds have passed since the previously captured packet.
  • Seconds Since Previously Displayed Packet: This is used when you apply a display filter, as it will show how many seconds have passed since the previously displayed packet, which will more accurately show gaps in time.

Time precision is also a consideration. When selecting a format, you have a choice in how many decimal places are displayed, as shown here: 

  • Automatic (from Capture File)
  • Seconds
  • Tenths of a second
  • Hundredths of a second
  • Milliseconds
  • Microseconds
  • Nanoseconds

Most of the time, it is best to use Automatic, which is the default, and that will be the best precision the operating system can provide. 

The whole concept of time is important in packet analysis. Now, you understand how you can easily modify the way time is represented. Name Resolution is another menu choice that has several selections. The following will outline the options available to resolve names and the rationale behind why you would select each one.

Under the Name Resolution menu, you can resolve physical, network, and transport addresses. In most cases, Wireshark can resolve physical and transport addresses without any problems as they both come from a file found in the local Wireshark folder.

To resolve physical addresses, Wireshark looks at the first six digits of a MAC address, which is the Organizational Unique Identifier (OUI), and this comes from the manuf.txt file, as shown here:

The manuf file listing NIC card vendors

To Resolve the Transport Address (or port number), Wireshark consults the services file, which is a text file that holds a list of services and the associated port number. The list uses the IANA port-numbers file for consistency.

For example, the service smtp uses port 25.  When Wireshark identifies that port 25 is in use, it will display smtp as the service, as long as you have requested name resolution.

The following is a screenshot of the services.txt file, which is found in the Wireshark folder:

The services file listing ports and associated services

The Resolve Network Addresses will resolve a hostname to an IP address. Normally, this option is not checked because, if it is, Wireshark will contact the DNS server(s) to do the resolution and cause a lot of additional traffic.

If necessary, it is possible to change either the manuf or services files. In addition, you can also select Edit Resolved Names, which will bring up a Name Resolution Preferences toolbar where you can edit or add a name.

When working with a capture, there are ways to enhance your view, as we shall see in the next section.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.140.185.123