HakTip 119 – Wireshark 101: IO Graphs and Expert Info
Today on HakTip, Shannon Morse describes two useful features in Wireshark: IO Graphs and Expert Info.
Today we’re checking out Wireshark – IO Graphs and Expert Info.
One handy part of Wireshark is being able to see all the data you’ve captured in useful ways, such as a graph. This can be useful if you want to see how traffic is flowing across your network, and is great if you have a huge amount of data to sift through.
To get to the graph, click on Statistics –> IO Graph. You’ll notice a bunch of hills on your graph, and an X Axis / Y Axis. The default for the X Axis is in seconds, starting from 0 and going up to 100 seconds. The Y Axis is how many packets are captured per second. Both of these can be changed with the options below the graph. The X Axis time intervals can be changed as well as pixels per tick (and the tick is the little dash on each axis). The Y Axis can be edited to show different units, scaling of the packets per second, and smoothing of the graph.
The Graph options don’t actually require you to use a bunch of different graphs. You can provide filters for each “graph” 1-5, and the colors will distinguish each filter from the original graph.
Clicking on the graph parts will move Wireshark to that specific interval of packet capture. Once you’ve got a graph you’re happy with, you can save it as a PNG or other image file or copy it.
If you go to Analyze —–> Expert Info, a box pops up with a bunch of tabs. These are Errors: for any errors during your capture; Warnings: for connection resets, out of order packets; Notes: info about duplicate packets, protocol issues, and things of that nature; Chats: which will show you TCP Get requests and connection requests, Details shows the errors in a log view – one entry per line. And Packet Comments: will show any extra data that may be of use. Use this Expert Info window as an overview, but not a fully detailed report, because it may not show all the errors for a log.
The columns in these tabs are: Groups (like checksum (if it’s invalid), sequence (if it’s retransmitted or isnt continuous), malformed (if the packet has a bug or is malformed), debugging, protocol issues, etc. If an error has the same summary just different packet numbers, it’ll be grouped into the same tree. Of course, you can also edit your columns in your main Wireshark panel by going to the Preferences tab and creating a new column for Expert Infos.
Let me know what you think. Send me a comment below or email us at [email protected]. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.