Comments can be a powerful tool, as you can use them in many ways to preserve what you felt was significant in the capture. Even after several years have passed, I still find the comments valuable as they help me to remember my train of thought when I captured the packet. However, in order for the comments to be of value, you must save them. Let's discuss how we save our comments.
Once you have created a comment, you will see an asterisk by the title across the top of the Wireshark interface, as shown here:
Once you have created a comment, you will see an asterisk by the title across the top of the Wireshark interface.
The asterisk will remain until you save the file. To preserve the comments, the file must be saved in the PCAP next generation (.pcapng) format.
If you or your team has taken the time to make a comment, then it's well worth your time to read them. You can view the comments in one of several ways:
- Use the pkt_comment display filter to see all packets that have comments.
- Open the Expert System.
- Go to the lower right-hand side to the drop-down menu named Show and select Comment from the list. This will display any comments that are in the capture.
- Go to Statistics then Capture File Properties, and view the comments in the lower pane.
Hopefully, by now, you can appreciate the many ways in which you can personalize your work area. Most of the time while working with packet captures, there is a need to refine our view by filtering traffic. We can use display filters along with complex expressions. In the next section, let's explore how we can do this, and if you find you're using the same expression repeatedly, then Wireshark can easily create a button that you can place on your toolbar for easy reference.