Open In App

Main Window Functions in Wireshark

Last Updated : 26 Aug, 2022
Improve
Improve
Like Article
Like
Save
Share
Report

Wireshark’s Main window functions are a very helpful tool that can be used when studying packets in Wireshark. They can also be useful when troubleshooting network problems. This article discusses those functions, their usage, and some options available to you.

Main Window:

When studying packets that come across your terminal as they’re transmitted over Wireshark capture files, it is sometimes necessary to use the main window functions found within the application. A few of these include Clear Packets and Packet Display Filter. These functions can be found in the Edit menu, right-click context menu that appears when your mouse cursor is placed over Wireshark main window.

The function available depends on what’s displayed within the main window. When none of the nets listed in the image below are selected, and you click Edit, a global search is initiated. This global search searches all captured packets and only displays those matches containing “an interface” or “a value”. When one of the nets listed in the image below is selected, the corresponding function becomes available and any matches applied to those nets will be displayed. These functions are useful when trying to locate a particular packet or packets in an instance where you have thousands of different packets from different sources.

Selected Net Function Comment Actual Interface Display Filter The actual interface for the selected network. This search is case-insensitive. You can also change the interface by double-clicking on it in Wireshark’s main window and selecting a new one from the Network List. You can add, delete or edit interfaces in this window by double-clicking on them and then making changes to their settings as necessary. Note that when the filter is applied, it will only display packets for the selected network. If you have multiple captures of the same network, you will need to adjust the count and filter settings to find that particular packet. Destination Host Display Filter The host where the packet was originally sent from. This can be helpful when troubleshooting problems at a host rather than from a router’s perspective. Source Host Display Filter, The host where the packet was initially sent to. This can be helpful when troubleshooting issues at a router rather than from a host (sending packets out of your system). Destination Port Display Filter The destination port for this packet being sent. Source Port Display Filter The source port of this packet is being sent.

Main window

 

Main Window Navigation:

The main window of this software is split into several sections: Packet Data, Endpoints, Engine Options, Captures, and Sessions. Packet Data is where you view data packets, Endpoints show the different endpoints that are being captured and the Engine Options section controls what packet-filtering options are applied to the packets in your captures. Captures and Sessions will show a list of all captures open on your computer.

The first section of this main window is Packet Data, which displays all packets that have been captured and have been loaded into this software’s memory by Wireshark. This section can be filtered based on specific criteria or sorted in various ways to make viewing easier. You can choose to filter based on various criteria, such as packet type, and packet lengths, or display the packets in various ways. You can view the entire capture in one large window that zooms into each individual packet. Alternatively, you may decide to sort them by different criteria and then display only the packets that match the selected criteria.

Packet Data is split into several areas: Packets, Bytes, and Streams. These are shown below:

  • Network Interface – The Live Capture Area shows a snapshot of all communications on your computer that have been captured but not yet analyzed by Wireshark. This area also allows you to highlight traffic for diagnostic purposes.
  • Endpoints – This shows communications taking place between computers and servers in your network.
  • Filter-Allows you to filter on a specific protocol or value within a packet. Filters may be applied to the Packet List, Endpoint Results, and TCP Streams.
  • Packet List – The Packet list shows all data packets that have been captured by Wireshark. You can zoom into each individual packet to view the data it contains or view them by sorting them by their type, length, or display options. You can also sort this area based on TCP Streams, with individual fields being sorted as well (such as the start and end times). Data packets can be selected by left-clicking on them.

The function of the Main Window:

The Main Window is also used to capture packets of the selected protocol. It allows you to:

  1. Click on the Statistics tab at the bottom of the Wireshark Main Window, and you will be able to see the following statistics (click on any statistics line, and it will show more information):
  2. More Actions can be accomplished using the “View” menu options. They include some useful commands related to Display filters, such as ‘Packets’, ‘Packet bytes’, and ‘Out-of-order packets’ (packets whose sequence number is non-zero, that is they contain non-zero offsets). See the “Filter/Display Filters” section for more details. Display filters are a very useful tool for filtering and displaying the data of a captured file.
  3. Wireshark can use one or multiple interfaces as its destination (or “listening post”). The Wireshark Main Window allows you to specify which interface will be used to capture packets, and it can be changed by selecting View | Options from the Wireshark menu. You can then change this option in the Capture Options tab of the “Capture” window. It is useful because it allows you to work with multiple protocols at the same time by capturing packets of each protocol separately, as shown below: Most of these options are also available via right-clicking on a packet’s title bar.
  4. Maybe the most important display filter, ‘Protocol’ can affect the entire traffic stream that Wireshark displays. It is a general-purpose filter that matches any protocol name, including IP and UDP/UDP-Lite.
  5. The “Display” menu options allow you to specify how much information should be shown in the “packet details pane”. This setting is useful because many packets are captured in single packet capture (either because they stick together or because they are too short to be displayed separately). There is also a “details” button on the toolbar which displays more detailed information about a packet (such as its sequence number) with mouse-hover.
Functions of Main Frame

 

Important Points:

  • You can select two or more nets to filter on. 
  • You won’t see a “Select All” option in the Edit menu when filtering on multiple net values. 
  • The function will apply to the first selected network, but if you make additional selections, they will be processed in the same manner as a single network selection. 
  • If you want to apply it to all selected networks at once, you’ll need to use the Apply button, which is located within each of the respective context menus that appear when your mouse cursor is placed over Wireshark’s main window.

Examples:

  1. Simple Filter: This filter displays packets with both an interface and a destination port value greater than 0. Simple Filter Enter Source Address 192.168.1.5 Destination Port 111 Apply Filter (key)
  2. Advanced Filter: This filter displays all packets that contain both an interface and a destination port value of 22. This advanced filter can save you a lot of time searching for packets within large capture files. Advanced Filter Enter Actual Interface eth1 Destination Port 22 Apply Filter (key)

Options Main Window:

  • As previously mentioned, this is a very useful tool for troubleshooting network problems. 
  • When you’ve found a particular interaction to be of interest, you can save it by clicking the Save button on the Edit menu. 
  • When your cursor is positioned anywhere blank inside of Wireshark’s main window, you will automatically be presented with the Save As… menu and a format for saving the selected packet within it. 
  • This format can be saved in three different ways: Recaptures, Packets, and Files. Selecting one from this menu will open up another dialog in which you can specify what elements to save and how they should be named.


Like Article
Suggest improvement
Previous
How to Crack FTP Passwords?
Next
What are Types of Session Hijacking ?
Share your thoughts in the comments

Similar Reads

Main Toolbar Functions in Wireshark
SMPP Operations Window in Wireshark
ISUP Messages Window in Wireshark
Protocol Hierarchy Window in Wireshark
I/O Graphs Window in Wireshark
VoIP Calls Window in Wireshark
SIP Flows Window in Wireshark
UCP Messages Window in Wireshark
IAX2 Stream Analysis Window in Wireshark
SIP Statistics Window in Wireshark
author
tejaswipkle
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox