Wireshark allows us to visualize issues while performing an analysis. The expert system categorizes various traffic conditions. It has a color code for each level that allows for easy identification of general workflow and possible critical events:

• Chat color: Gray provides information about typical workflows, such as a TCP window update or connection finish
• Note color: Cyan indicates items of interest, such as duplicate acknowledgments and TCP keep-alive segments
• Warn color: Yellow indicates a warning, such as a TCP zero window or connection reset
• Error color: Red is the highest level as there may be a serious problem, such as a retransmission or a malformed packet

The visual for the expert system is in the lower left-hand corner, as shown in the following screenshot:

Wireshark also has an intelligent scrollbar, which also provides a visual to detect issues. In the preceding screenshot, we see a distinct coloring pattern on the right-hand side based on the coloring rules set in the application.

With the intelligent scrollbar, the administrator can easily click on a color band to zero in on a possible problem. Bear in mind that the intelligent scrollbar is only visible if the coloring rules are active; however, coloring rules are on by default.

Once problems are identified, you can then subset traffic, add comments, save, and export the packet captures.