Quick Start Guide
Wireshark Quickstart Guide
14
i) Filters
Filters can be used to narrow in the focus on only important
packets. See Appendix 2 for a discussion of filters.
ii) Follow TCP Stream
Choose a TCP packet from the packet listing window (Area 1 in
Figure 7). Right click on the chosen packet and select “Follow
TCP Stream”. Wireshark will open a new window and display
the set of data as it is seen by the application layer. For
example, in the case of a HTTP response, this would be the
HTTP data and the web page to be delivered to the browser.
However, the “Follow TCP Stream” command also does
something that may confuse you – it automatically filters the
packet display so that only packets relating to this stream are
displayed. As a result, you may need to “Clear” (Appendix 2)
the display filter after using “Follow TCP Stream” if you want
to look at other packet data.
iii) Conversations and Endpoints
Under the statistics menu at the top of the main screen you can
explore “Conversations” and “Endpoints”.
First, remember that the network traffic you capture may have
traffic to/from more than one computer. There is a good chance
that your LAN protocol is Ethernet, and Ethernet is designed to
share a single network among many users. As a result, you may
see packets for other users in your packet data. Even if your
network is connected through a switch, you may see broadcast
packets to other users.
Using endpoints lets you isolate traffic so that you are only
looking at traffic to/from a specific machine. An endpoint can
be defined by network layer. For example, a single MAC
address on your machine is one endpoint. If you are running an
email client and a web browser at the same time, all of that
traffic will be consolidated through your computer’s MAC
address. However, if at the TCP layer, an endpoint definition
includes the port number of the application. Therefore, at the
TCP layer, the traffic for the email client and the web browser
will be separated. Wireshark’s endpoint report lets you select
the network layer of interest, and then to see the summarized
endpoint traffic for that layer.
Following a TCP
stream also hides
some of the data by
setting a display filter.
“Clear” the display
filter (Appendix 2) to
reveal the entire data
set.