As described earlier, warning events indicate problems in the application or in communication. In this recipe, we will describe the main events in this category.
Getting ready
Start capturing or open an existing file, and start the Expert Infos window.
How to do it...
From the Analyze menu, open Expert Infos by clicking on Expert Info.
Click on the Warnings: bar. You will get the following window (all events are examples):
You will see here several event categories:
Reassembly problems: These are mostly un-reassembled packets. These are usually indicated as Wireshark dissector problems.
TCP window problems: These are mostly zero window and window full problems. These usually indicate slow-end devices (servers, PCs, and so on).
Segment loss, segments not in order: These indicate previous segment losses and the ACKed segment that wasn't captured. These are usually TCP problems that are caused by network problems.
How it works...
Wireshark watches the parameters of the monitored packets as follows:
It watches TCP window sizes and checks if the window size reduced to zero
It looks for TCP packets (segments) that are out of order, that is, if they were sent before or after the expected time
It looks for ACKs for TCP packets that were not sent
These parameters, along with many others, provide you with a good starting point to look for network problems. We will go into the details of it in Chapter 9, UDP/TCP Analysis.
There's more...
Don't forget that warning events are those that Wireshark refers to as important, but it is not necessarily so. If, for example, you have previous segment not captured, they will be under warnings, but it can be due to capture problems.