Whenever you are actively connecting with other hosts on the network, the OS keeps track of all the connections. To see all of your active connections on a Windows machine, open a command line and run netstat with the parameters -an , as shown in the following screenshot:

In Wireshark, a conversation consists of two endpoints that are in a connection together. An endpoint is one side of the conversation. To view all of the conversations in a capture, go to Statistics and then Conversations. Once the window opens, there are tabs along the top that allow you to view a specific type of conversation. In the following screenshot, you can see the five tabs, Ethernet, IPv4, IPv6, TCP, and UDP: 

Each tab provides details of the type of conversation you selected. For example, the Ethernet tab shows Ethernet conversations listing the MAC addresses of the endpoints. Each row represents one conversation. Wireshark has advanced options within this window. We can select any of the conversations by right-clicking and selecting any of the following options:

• Apply as a filter: This will select the highlighted conversation and run the filter.
• Prepare as a filter: This will select the highlighted conversation and prepare the filter; to run the filter you must press Enter.
• Find: This will select the highlighted conversation and place the variables in the search toolbar.
• Colorize: This will select the highlighted conversation and allow you to create a custom coloring rule.

The following screenshot shows the search toolbar that is launched when you select Find:

All of these options allow you to further refine your selection. Right-click and select one of several options that include A to B, B to A, A to Any, among others.

At the bottom of the window, there are additional choices with which you can refine and customize your view:

• Name resolution: Wireshark will resolve the physical, network, and transport addresses for the specific conversation type. For example, if the TCP tab is selected, the transport address will be resolved.
• Limit to display filter: This will show only conversations included in the current display filter.
• Absolute start time: This will change the start time column to the absolute start time, which is in the Time of Day display format. If you uncheck this, the time will revert to the relative start time, which is in the Seconds since Beginning of Capture time display format.
• Copy: This will copy the list to the clipboard in either CSV or YAML (short for Yet Another Markup Language) format. You can then paste it into a notepad file or a spreadsheet.
• Follow Stream: This allows you to see the details of a single conversation. You must first select either a TCP or UDP conversation.
• Graph: This will launch and display a TCP Stream graph on the selected TCP conversation, as shown here:

As you become more experienced with using Wireshark, you will be able to navigate around the interface with ease. Until then, experiment with some of the menu choices and options.

In order to more effectively troubleshoot a network, it is important to have a packet capture to compare possible changes. One way to achieve this is by creating a baseline, which we will cover in this next section.