Nov 23, 2011

37 Tips For Using Wireshark

I talked about an alternative to Wireshark yesterday made by Microsoft called Network Monitor. What if you still are on the Wireshark bandwagon though, and you don't want to give up on it? I mean, it is probably the most well known packet sniffer/network analyzer out there right? Well, I've got something for you, or rather Wireshark University does. It's their list of 37 tips and tricks for getting the most out of Wireshark, including steps on how to do them.

I thought I would re-post it here as an aid for you guys, but also as a sort of knowledge base for myself. If there is something I had a hard time fixing, or finding on the internet, I like to post it here on Bauer-Power. I'm sort of self-serving that way I guess. Anyway, here it is:

Tip #36: Download Pre-Made Profiles
At you can download a set of pre-made profiles and numerous trace 
files. These files accompany the new Wireshark Network Analysis book that is widely 
becoming available on Amazon (you can also get it 
here), The book website also includes a 
"Coffee and a Quickie" section with six short videos to walk you through adapter testing, 
catching the first set of packets, and now - setting up profiles using predefined elements. 
Watch the video for step-by-step instructions on using a pre-made coloring rule set in your own 

Tip #35: Color Your WLAN Traffic
In the "Introduction to WLAN Analysis" chapter of Wireshark Network Analysis, I introduced one 
of my favorite filter sets - for WLAN traffic - fitering based on the frequency of WLAN traffic. For 
example, here are six coloring filter examples:

Tip #34: Running Multiple Versions of Wireshark
During last week's online training course, I had two versions of Wireshark running 
side-by-side. On the left was the 1.2.6 release version and on the right was the 1.3.3 
development version. This allowed me to demonstration numerous features that had changed 
and will be coming with version 1.4. To install multiple versions of Wireshark, go through the 
standard installation process on the second version, but make sure you just place it in a 
different directory. You don't need to reinstall any interface drivers (unless they are out of date).

Tip #33: Change Those Defaults!
When I look at someone's Wireshark configurations, I always recommend they change the 
default settings for both the "Filter display max list entries" and "Open Recent max list entries" 
in Edit | Preferences | User Interface. Why only see the last 10 items when you can easily view 
the last 30 items? I'm always re-opening trace files and accessing previously created display 
filters that I didn't save. Make this change today and work more efficiently!

Tip #32: Compare Traffic in a Single Summary Window
You can compare one conversation to another in a single summary. Open a trace with multiple 
conversations in it. Filter on one conversation and select Edit | Mark all packets. Clear your filter. 
Now filter on another conversation. Now select Statistics | Summary and you should see three 
columns - all traffic, the marked traffic (conversation #1) and filtered traffic (conversation #2).

Tip #31: Graph Ugly Traffic - Fast!
One of my favorite filters is tcp.analysis.flags. All those ugly TCP problems (retransmissions, 
duplicate ACKs, lost packets, etc.) jump out at you. Did you know you could plot these 
instances in an IO graph? It's simple - just start a capture and open Statistics | IO Graphs and 
enter tcp.analysis.flags in the filter area for the red graph. I recommend you try the Fbar format 
for this item. You'll end up with a nice graph showing when TCP issues rise and fall on the 

Tip #30: Set up GeoIP to Map IP Addresses
Before you can take advantage of this feature, you need to ensure your version of Wireshark 
supports GeoIP (Help > About Wireshark - do you see "with GeoIP?").  The GeoIP database 
files are free from MaxMind ( - grab the Free/Open Source 
files. Point to the MaxMind files in Preferences > Name Resolution > GeoIP database 
directories. Want to watch a video of the setup and use of GeoIP? Check 
this out!

Tip #29: Keeping up with Wireshark
At 5:34pm PST, the Tweet screamed" Wireshark 1.2.4 is out. Enjoy" Another update so fast? 
Yup. Two ugly bugs are fixed in this rev - 4120: Can't save RTP streams in both directions and 
4155: Wireshark could crash on startup on Windows. How do you keep up with releases? 
geraldcombs on twitter or subscribe to the Wireshark Announcements list at

Tip #28: Gerald's Launch Tips
The Wireshark website was revised recently - you can catch Gerald Comb's video on Custom 
Wireshark Shortcuts 
here. Also note that typing wireshark -h at the command line lists other 
available options for quick launch.  

Tip #27: File Sets and Editcap - Yeah Baby!
Creating and using file sets allows you to capture large amounts of traffic and maneuver 
quickly from one portion to another (set this up in the Capture Options). In previous versions of 
Wireshark you could use editcap to split a large trace into multiple smaller trace files using th 
e-c parameter, but the new files were not part of a file set - they had to be opened and treated 
as separate files. Now using editcap v1.2.3, you can split a file and make it into multiple files 
that can be handled opened as a file set (File > File Set) - VERY NICE!

Tip #26: Wireshark on Windows 7
On October 26th, Wireshark v1.2.3 released. Although this version addressed numerous bug 
fixes, the big change is the support for Windows 7 with the updated WinPcap version 4.1.1 
which released separately at on October 20th (the previous version of 
WinPcap - version 4.1 came out on October 19th but had some installer bugs that were fixed in 
the next-day release version 4.1.1). This version of Wireshark+WinPcap also supports Vista, 
Server 2008, and Server 2008 R2. Get the latest version at

Tip #25: WLAN Decryption Modes
When decrypting WLAN traffic using an AirPcap adapter with Wireshark, define the Decryption 
Mode as Wireshark, not Driver. In Driver Mode you can only decrypt WEP traffic (with the 
decryption keys defined). In Wireshark Mode you can decrypt WEP, WPA-PWD and WPA-PSK. In 
WPA-PWD mode uses the password and the SSID to create a raw pre-sharked key 
(WPA-PSK). In WPA-PSK mode, they key is parsed as a raw pre-shared key - you can create 
your own raw key using Wireshark's WPA PSK Generator at

Tip #24: Removing Duplicate Packets
Use editcap to remove duplicate packets in a trace file. There are three parameters for 
duplicate removal. For example, if your trace file is called dupes.pcap, run the command 
editcap -d dupes.pcap nodupes.pcap. The -d parameter uses a duplicate window size of 5 
which means editcap compares the MD5 checksum of each packet to the 4 packets preceding 
it. You can increase the window size using -D # where # indicates the number of preceding 
packets to check against each packet. You can also use the -w parameter to specify a widow in 
time (seconds).

Tip #23: Link Aggregation
Got a server with two NICS and need to tap in to capture traffic on both interfaces? In this case 
you might be interested in a link aggregator. A link aggregator allows you to connect multiple 
links into the tap - this is a different technology than "aggregating tap" technology. Aggregating 
tap technology combines full-duplex traffic into a single outbound stream so you can listen in 
with one device.

Tip #22: Finding RTP
If you are analyzing VoIP communications and you pick up only RTP (Realtime Transport 
Protocol) traffic, but not the SIP traffic that set up the call, Wireshark may just dump you at UDP 
and not apply the RTP dissector to the traffic. No worries. Just right click on one of those UDP 
packets and select Decode As. Under the Transport tab you will see the ports in  use by the 
RTP communications. To the right, scroll down to select RTP and click OK.
See this week for more information on VoIP analysis and the 
Summit 09 event. UPDATE BY BILL DEWEESE: Another option is to enable the RTP preference 
"Try to decode RTP outside of conversations!"

Tip #21: Use Wireshark Expressions
If you want to build a filter, but you don't know the field name and have no packet to use as an 
example, click on the Expression button (to the right of the Display Filter area). In the 
Expression window you can expand protocols and applications to build filters using relations 
such as "is present", ==, !=, "contains" or "matches."

Tip #20: WLAN Retry Packets
When a WLAN ACK is not received, a retry will be triggered. Why would an ACK not be 
received? Low signal strength, interference, noise... those might be some of the reasons. To 
create a filter for all retry WLAN frames, expand the flags field under the Frame/Control section 
of the 802.11 header. Right click on the Retry bit and select Apply a Filter > Selected. Ensure 
your filter is looking for a bit setting of 1 (indicating the frame is a retry). The filter should be 
wlan.fc.retry == 1.

Tip #19: Sorting Filters
At Open Source World I needled Gerald about this ability. You can't just click on the filters to sort 
them. Sigh. So here's the trick I use. I open the filter file in a text editor, copy the text to Word and 
then sort the list. You can locate your filter files by selecting Help > About > Folders - look for the 
Personal Configuration information. To make things line up nicely, add spaces in front of your 
display filter names - for example "       TCP RST Packets" (notice the leading spaces within the 
quotes - I don't add the leading spaces for titles when I group filters). If you ordered the 
Wireshark Jumpstart Plus Bonus course, you received my pre-formatted, sorted filters.

Tip #18: Exporting IO Data for External Graphing  
Recently, someone posed a question on Twitter: "How can we export the Wireshark bits per 
second information so we can manipulate it in Excel or another spreadsheet program?" Easy! 
Select Statistics > IO Graphs. Change the Y Axis to Bits/Tick and click the Copy button. 
Wireshark copies the header as "interval start, graph 1" and the X, Y coordinates of the plot 
points to buffer in a comma-separated value format. Save the data in a CSV file to open in 
another program. If you want to compare one user's traffic to all the traffic seen, apply an 
ip.addr==x.x.x.x filter for Graph 2. Select the Graph 1 and Graph 2 columns from your CSV file to 
plot the data. Now you can build your own graphic images of the traffic, add trend lines and use 
standard plotting functions to the data.

Tip #17: Subnet Filters
Wireshark understands CIDR (classless interdomain routing) address definitions. If you want 
to create a display filter for all devices who's network address starts with 10.3, use the syntax 
ip.addr== The "16" indicates how many of the leading bits should be matched in 
the address. Use CIDR definitions when filtering on a subnet.

Tip #16: DHCP Filters
At the current time, the display filter syntax, dhcp, does not work. In order to filter on DHCP traffic 
 you need to use the syntax bootp. DHCP is derived from BOOTP and contains a BOOTP 
header. This fouls up many Wireshark users who are new to creating display filters. Watch out. 
Likewise, you cannot use "dhcp" as a capture filter - you need to create a capture filter for port 
67 or port 68. In the recorded version of the Wireshark Jumpstart class, I added a Bonus 
section that includes my favorite capture/display/color filters. One of my capture filters is a 
passive discovery filter that looks for arp or port 67 or port 68.

Tip #15: Filtering for Illegal Ping Packets
Many network discovery tools and OS fingerprinting tools (such as Nmap, NetScanTools and 
Xprobe) send out illegally-formed ping (ICMP Echo Request packets) that can be used to ID the 
application in use. The display filter would be icmp.type==8 && !icmp.code==0 to find these 
strange packets. This is covered in the Bonus materials added at the end of the recorded 
Wireshark Jumpstart course that will be announced today at

Tip #14: Merging Trace Files
So you've capture two (or more) trace files on different interfaces or from different hosts running 
Wireshark. To merge these trace files together you can use the command line tool Mergecap 
(in the Wireshark program directory) or select File > Merge in Wireshark. By default files will be 
merged according to their timestamps. Use the -a parameter to merge according to the order 
you list the files.

Tip #13: Sign of a Bot-Infected Host
When a host is bot-infected and planning on connecting via IRC to the C&C (Command and 
Control) server, you might see a DNS query for that C&C server's name. Check out 
sick-client.pcap - look at the DNS reply for - notice the CNAME (canonical 
name, or alias) entry in the DNS response field... and look at how many IP addresses are 
associated with that name. Not the typical DNS response you'd expect and sign that the host 
being located may be a malicious one... watch for this. Video: "
Analyzing a Bot-Infected Host"

Tip #12: Wireshark's Status Bar
The Wireshark status bar is located below the main Wireshark working area. In Wireshark v1.2 
we now have an Expert Info Composite button on the far left side - the color changes to indicate 
the Expert level that has been detected (grey=no Expert Info; Red=Errors; Yellow=Warnings; 
Light Blue=Notes).While capturing, the left side of the status bar indicates which adapter 
Wireshark is capturing from, the file location and file name of the current capture, size of the file 
and, after you stop the capture, the time elapsed. In the center of the status bar, Wireshark 
displays the number of packets captured, displayed (useful if you have applied a display filter), 
marked and packets dropped (a clear sign that Wireshark is not keeping up with traffic rates). 
The right side of the status bar indicates the profile in use. You can adjust the size of the three 
areas of the status bar for better viewing by clicking and dragging the column separator. Many 
people leave the profile information at minimum size so they can see the entire directory/file 
name of their capturing/captured trace.

Tip #11: "Fast Retransmissions"
What is the difference between a retransmission and a fast retransmission? If you've worked 
with the Expert Info Composite window, you have likely seen both at times. Right now, fast 
retransmissions are placed under the Warnings tab. Retransmissions are placed under the 
Notes tab. Both are true retransmissions, but if the retransmission arrives within 20 ms of a 
duplicate ACK it is defined as a "fast retransmission". Not all retransmissions are triggered by 
duplicate ACKs however. Sometimes you'll see retransmissions that are triggered by a timeout 
on the sender's side as it waits for an ACK for data sent. We treat both retransmissions and 
fast retransmissions as a sign of packet loss.

Tip #10: New Time Column
In Tip 9 you learned how to change the time column to see large gaps between packets. But 
what if you want to see both the default time setting and the delta time setting? Make sure the 
current time column is set to View > Time Display Format > Seconds Since Beginning of 
Capture. Next, in Wireshark v1.2, select Edit > Preferences > Columns > Add. Click on New 
Column and give your column the name "Delta". (Click on the word "number" to the right or the 
name will not stay - a bug). In the Properties area, click the arrow at the right of the Format field. 
Select "Delta" and click OK. You might want to move this time column up next to the other time 
column (in v1.2, just cick and drag the column up). Now you always have both the Relative and 
Delta time columns available.

Tip #9: Best Time Setting for Troubleshooting
When users complain about poor network performance, capture their traffic (from as close to 
their systems as possible so you get round trip time values from their perspective). Set the 
Time column value to show you from the end of one packet to the end of the next packet by 
selecting View > Time Display Format > Seconds Since Previously Displayed Packet. Now you 
can sort this column to see where there are large gaps in time in the trace file.
 Watch a demo 

 Tip #8: Tshark Interface Selection
Tshark is the command-line capture tool that comes with Wireshark (look in the Wireshark 
program directory and consider adding this directory to your path so you can run Tshark from 
your trace file directory). Type 
tshark -D (must be a capital "D") to view the interface list. If you 
want to capture traffic on the third interface listed, you would use
 tshark -i 3 (the "i" 
parameter indicates the interface number you want to capture on).
 Watch a demo (MP4-5MB) .

POWER USER Tip #7: Terabyte Tshark Captures
Special thanks to John Bullock for this hot tip!
"Run tshark as a service with something like this in the registry - c:\program 
files\wireshark\tshark.exe -i 3 -b filesize:100000 -b files:8800 -n
-w d:\pktcap\wan.cap
. With terabyte drives so cheap, I decided to put a machine on the 
uplink for each of our networks that keeps a rolling capture of the last 800G or so of traffic.  So, 
now when a security system barks at me, I can go find the packets and investigate."

 Tip #6: Packet Loss Location
Wondering if the original TCP packet and the retransmission are both sitting in that slop of a 
trace file? In the details pane of the TCP retransmission packet, expand the TCP header and 
right click on the TCP Sequence Number field. Select Apply as Filter > Selected. The filter syntax 
is tcp.seq == [number]. If you see both the original packet AND the retransmission, you are
upstream (closer to the sender) from the point of packet loss. If you only see the 
retransmission, the original packet was already lost. The point of packet loss is downstream 
(closer to the receiver) than where you are located.

Tip #5: Signatures
Always look at the payload of ICMP Echo Request (ping) packets to see if there is a signature 
for the application running sending the ICMP Echo Request. In 
pingsigs.pcap we see the 
alphabet-only-up-to-w signature used by MS Windows hosts and, in packet 9, we see the 
Sniffer ping tool signature - which is a nod to it's creator, Cinco.

Tip #4: Accelerator Key
Use Ctrl+down arrow when you have selected a packet in the detail pane and want to scroll 
through several packets while keeping the focus in the detail pane.

Tip #3: File Sets
In the Capture Options window, save to multiple files. Just open one of the files and now use 
File > File Set > List Files to quickly move between them.

Tip #2: Splitting Trace Files
To split a large trace file into multiple files, use editcap -c [number of packets per 
file] <infile> <outfile>
. For example, editcap -c 10000 fattrace.pcap 
 will split fattrace.pcap into trace files containing 10,000 packets (or fewer on the 
last trace of the set) with names starting with smaller.pcap. The file  number is appended as 
-00000, -00001, -00002, etc. after the .pcap extension.

Tip #1: Capture Filter
Create a "Not Me" capture filter to ensure your own traffic isn't captured when analyzing other 
device's traffic. Use the syntax  
not ether host 00:21:97:40:74:d2 (with your MAC 
address, of course). Also consider making a "Just Me" capture filter to view only your traffic 
when analyzing an application on your own system.

Tip #0: Free Wireshark Live Online Seminars
You like tips? Check online at to register for the free Wireshark 
live online seminar.

Got any other sites with interesting tips for Wireshark to help out us n00bs? Hit us up in the comments!

[Via Wireshark University] tags:       


Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam