Packet Range frames are used to request sets of packets by specifying a starting and ending packet number. They can be thought of as a supercharged tool for displaying more specific parts of a capture file. The Packet Range Frame is one of the few new features in Wireshark 1.6 (released in March 2017). Even though it has only been available for a little over half a year, the introduction of this frame has already made an impact on how people analyze network data with Wireshark.
Packet Range frames have been available for use by anyone for some time now. The difference is that Wireshark 1.6 now actually provides a way to display the results. Wireshark’s developers initially added the Packet Range Frame in order to provide a method for displaying the results of a particular protocol accurately. The implementation also makes it easier to use these frames in conjunction with other features in Wireshark. For example, you could filter out all SSID packets by including the Packet Number filter with your SSID filter string.
Using the Packet Range Frame:
You can use the Packet Range Frame by going to File→Export Specified Packets. This will bring up the Export Specified Packets window. At the top of this window, you can either specify one or multiple packets that you wish to export in order to your file by clicking on the “Specify” button and entering a number range. If you would like to export all the packets in your capture file, then click on “Specify All” instead. Once you have selected your packet range, click okay and Wireshark will export these packets into a new file just like any other frame in Wireshark.
Results:
Once you have exported your specified packets, they will appear in a new file that you can open and analyze just like any other capture in Wireshark. You should see a bunch of duplicates of all the packets you exported for each interval. For example, if you selected packets 1–20 and intervals of 1, then you would see 20 copies of packets 1–2, 20 copies of packets 3–4, and so on. Because these are duplicates, you can simply delete those extra packets by selecting them and pressing “delete.” If there was something wrong with how your data was gathered (for example if one packet was missing) then these extra copies would help show what happened.
Countermeasures:
- If the packets you are trying to analyze seem to be missing, the following should help:
- Export the packet range (pkt. range)
- Use a filter to eliminate all packets that did not belong to your original set of measurements (e.g., filter out all SSID packets by including the “Pkt Number” filter.)
- Exclude all other frames in your displayed results using a new
- “Exclude Other Frames” button in an “Exclude or Include Other Frames” dropdown box.
- Sort by packet number or alphabetically, depending on how it best suits your needs, and then delete those extra frames (using the method above).
- Only after all of these steps have been taken, should you proceed to the next.
The second option to overcome data loss after the export of the Packet Range Frame is its use in conjunction with filters. In particular, performing this analysis can be made easier with a filter that filters out data not interesting for your specific case, such as “include”.
Key Points:
- Packet range frames allow you to export your capture files and analyze only information related to specific packets.
- Wireshark shows the results of this export is not exactly intuitive, so understanding how to interpret these results is important.
- You can use the Packet Range Frame in multiple ways, so experiment with different methods until you find one that works best for you.
Conclusion:
The more tools you have at your disposal, the easier it is to get the results you want. The Packet Range Frame is an underutilized tool currently, but it opens up possibilities for how you can study specific parts of your capture file in Wireshark.