Resources:
Wireshark version 1.4.0 download - www.wireshark.org/download.html
Wireshark Certified Network Analyst - www.wiresharktraining.com/certification
Wireshark Network Analysis Study Guide - www.wiresharkbook.com
Wireshark Certification Exam Prep Guide - www.wiresharkbook.com/epg
Register for the free Wireshark 201 Filtering Webinar on September 8, 10am-11am PDT - www.chappellseminars.com/s-wireshark201.html
-----
This week we had over 800 people register for the free Wireshark 101 Jumpstart
online course. You can download the handouts and review the topics covered.
During the webinar I focused on some of the cool new features of Wireshark
version 1.4.0. One of my favorite new features - Apply As Column - has even
gotten better than it was in the release candidate versions!
At Sharfest 2010, I was showing the new Apply As feature to the audience. Gerald
Combs, creator of Wireshark, was in that audience.
Simply right click on a field in a packet and choose Apply As to add that field as a
column in the Packet List pane. My favorite fields to add are:
* TCP Window Size field
* TCP Sequence Number field
* TCP Acknowledgment Number field
* IP Time to Live field
* 802.11 Channel/Frequency field (from a RadioTap or PPI header)
During that presentation I mentioned how fabulous it would be if I could
temporarily hide one of the new columns then quickly enable it again later.
Try it Yourself
Step 1
Download and extract all the book supplements (available online at
www.wiresharkbook.com/downloads.html).
Step 2
In Wireshark version 1.4.0, open the trace file called http-download-bad.pcap. This trace file contains the traffic of someone connecting to a web server and downloading a file. The performance stinks.
Step 3
Expand the TCP header in packet #1 and right-click on the Window Size field (near the
end of the TCP header). Select Apply As Column. Your new Window Size column
appears in the Packet List pane.
Step 4
Right click on the new Window Size column and select Rename Column Title... - change
the name to WinSize.
Step 5
Now click the new WinSize column twice to see the Window Size field values lowest to highest - do you see the "Window Zero" condition in the trace file? What is the IP address of the host that states it has no receive buffer space (indicated by a Window Size of 0)? Yup - that would be the problem with the file download process!
Step 6
Let's say you don't always want to see that column though. Simply right click on the WinSize column heading and select Hide Column. When you want to see it again, just right click on any column heading and select Displayed Columns. Sweet!
Thanks Gerald and the Wireshark development team! This is a great addition!
Enjoy!
Laura
