Wireshark! Don’t get bitten.

Wireshark will definitely bite you in the butt if you don’t know what you’re doing.  The program is daunting.  It’s scary.  Let’s be honest here: there’s so many colorful rows, network data and obscure text that most network administrators would rather go swimming with real sharks then scroll through thousands of rows of arcane code.

A few daring souls have ventured into figuring it out Wireshark but even those people aren’t getting the most out of this super powerful application.

But it doesn’t have to be that way!

If you know where to look, Wireshark is easy breezy.

So here’s the deal: if you didn’t catch my Wireshark 101 course

Today I’m going to show you how to:

• A snappy way to organize columns
• How to focus the output
• A super smart way to add columns
• A power user tip for cleaning up the view
• One zippy way for looking at PDU errors

Note I’m not going to tell you every single thing you need to know about Wireshark.  I wouldnt waste your time like that!  I’m just sharing the most useful features so you can quickly get going with your Wireshark data analysis.

Let’s do this!

What’s the first thing you do when sitting in a new office chair?

I’ll tell you what I do:

• I spin around a few times
• I recline back as far as it will go
• I pull every lever, push every button and turn every knob I can find

In other words, I get comfortable with the features so I can take a nap at my desk when no one is watching haha.

Well, today we’re going to get comfortable with the levers, buttons and knobs of Wireshark.

Let’s start with the columns.

Climbing over Columns

Clicking a column header once sorts it in ascending order from A to Z.  Click it again to sort it in descending order from Z to A and click once more to “undo” all your sorting.

In the above screenshot, you may notice that the Byte Length column is slightly truncated making it hard to read the column header.  A few other columns are also squished down which makes the view look really messy.  To quickly fix this press Shift + Control + r.  This will force all columns to expand to fit the width of the column data.

You should also move the columns around so that everything is exactly where you want it.

Just click a column header and drag to make it just right.  In the graphic below you can see me moving the source address column to the left edge of the window.

Sorting and moving is fun but what if there’s something showing up that isn’t pertinent to your analysis.  The easiest thing to do is Hide it!

Just right click the column header you want to hide and choose Hide Column.  To get it back right click any column header, mouse over Displayed Columns and hit the column name without the little check mark.

Alternatively, you can just choose Display All to get everything back.

Shocker! Frames aren’t really Frames

The first row of the PDU details pane is labeled Frame.  Is Wireshark equivocating?  I thought a Frame was the name of a Layer 2 Protocol Data Unit. (PDU)

Oh my friend you are so right!  You are 100% correct.  Network data at Layer 2 is known as a frame yet the first row of the PDU details pane is labeled “Frame” and the second row shows the Layer 2 data.  So what’s going on here?

Here’s a quick overview of terminology:

A network nugget at Layers 5 through 7 is known as a Application Layer PDU (Protocol Data Unit)

Data at layer 4 is known as a Transport Layer Segment.  At layer 3 we have Network Layer Packets and finally at layer 2 we’re talking about Frames.

In Wireshark lingo, the Frame is the synopsis of the selected PDU, Segment, Packet or layer 2 frame.  Think of it like the table of contents for the selected item.   Inside you’ll see mouth-watering treats like the capture length, protocols used and the time when the data unit arrived. It’s always the first row in the PDU details pane and appears where you would expect the layer 1 Physical Layer to reside.

Alright, now I want to give you my top three tips for getting the most out of Wireshark.  Consider this my cornucopia of capture secrets that I’m releasing to the world haha.

Check it out:

1. Focus your research

Let’s say you’re really getting into it.

You’re on to something big.  Your palms are sweating, your pupils are dilated and your heart is beating through your chess. You’ve been leaning forward into your computer monitor for hours and you’ve finally found something of significance.

One of the best ways to sharpen your focus is to double click the PDU in the PDU list pane.

Wireshark opens a new compact window with everything you need for item you double clicked.  It’s a great way to dive in without the distractions of the main Wireshark window.

2. Power User Tip: Adding Columns like a Pro

N00bs add columns by right-clicking the column header and visiting Column Preferences.

This is lame.

Let me show you a more intelligent way to add columns to the PDU list pane.

Let’s say you’re analyzing DNS queries and you would like to apply a specific item in the PDU details pane as a column.

In the PDU details pane, just right click the thing you want to add and choose Apply as column.

In the graphic below you can see I’m applying the Name attribute of DNS Queries as a column so that I can easily view hostnames in the PDU list view.

Check out the new column!  And you already know how to hide columns so you can easily hide and unhide columns on the demand.

You can do this with almost any attribute displayed in the PDU details pane.  It’s extremely useful so I exhort you to embrace this powerful tip!

3. Making things neater

Let’s say you want to remove some information from the view.  How would you do that?

Just right click the item in the PDU Details pane, pick Apply as filter and choose Not Selected.   Now everything except for the item you selected will show up.  It’s a great way to clean up your view.

Let’s say I don’t care about any DNS information.  I simply select a DNS packet in the PDU list pane, scroll down to the Application layer in the PDU details pane and right click it so I can pick Apply as Filter, Not Selected.

You can actually see the specific filter applied by looking in the Filter box.

!(dns) means not DNS. Everything except DNS.

To filter out another item in addition to DNS, just right click it, choose Apply as Filter but this time choose … and not Selected.

Another way you can clean up your view is to hide the Bytes Pane at the bottom of the Wireshark window.

I rarely use it and I think it just eats up precious space and makes everything look unnecessarily convoluted.  Just press Alt  + vb (Option + vb on a Mac) to toggle the Bytes pane on and off.  To remember this just think “View Bytes”

4. The smart way to find errors

Tucked away in the bottom left corner of the Wireshark window is a little circle that looks like a record button.  If it’s red you have errors in the capture somewhere; otherwise it’s probably blue.

Clicking that opens the Expert Info pane shows the following items as tabs:

• Errors
• Warnings
• Notes
• Chats
• Details
• Packet Comments

Clicking an error or warning instantly highlights the respective error in the PDU list view.

Nice.

The Bottom Line

The next step is to open up WireShark and start playing with the things you learned here.

Hopefully you feel more comfortable doing that now!