The premiere source of truth powering network automation. Open and extensible, trusted by thousands.

NetBox is now available as a managed cloud solution! Stop worrying about your tooling and get back to building networks.

New Features in Wireshark 1.5

By stretch | Monday, January 31, 2011 at 2:48 a.m. UTC

The development release of Wireshark 1.5.0 was released last week, marking the latest milestone for the family of packet analysis applications. Since hesitantly crossing the 1.0 mark in 2008 (two years after being renamed from Ethereal), Wireshark has been growing at a fairly ambitious pace. I'm currently using Wireshark 1.2.7. Curious what features have been introduced recently, I grabbed the development source tarball and compiled it on my Ubuntu workstation.

wireshark.png

This article discusses some of the more useful improvements since 1.2.7, some of which are available in the current stable release 1.4.3. For a complete list of features, bug fixes, and new supported protocols see the Wireshark release notes.

Packet List Column Context Menu (v1.4.0)

Right-clicking on a display column in the packet list pane presents a context menu from which the user can easily sort or hide (v1.5.0) the column, horizontally align its fields, and modify the information it displays. Columns can also be rearranged by dragging them with the mouse.

column_menu.png

Ignoring Packets (v1.4.0)

Packets can be ignored by right-clicking on the packet in the list and selecting "Ignore Packet". This is handy for temporarily removing specific packets without actually altering the capture data.

Import Captures from Text (v1.5.0)

The functionality of the standalone utility text2pcap has been incorporated in the Wireshark GUI. Packet captures in text format (hex dumps) can be imported under File > Import.

Syntax Checking for Capture Filters (v1.5.0)

Wireshark implements two types of filters: capture filters and display filters. Capture apply at a very low level in the packet capture library (libpcap or WinPcap) and determine which packets are recorded in the capture file. Display filters apply only to the GUI presentation; enabling a display filter does not modify the contents of the capture file, only which packets are displayed when the filter is activated.

Release 1.5.0 introduces syntax-checking support in the capture filter field. This allows a user to verify that the filter provided is correct before attempting to start a capture. (The display filter has supported syntax checking for some time.)

capture_filter_syntax.png

Window Scaling Graph (v1.5.0)

Joining the four existing TCP stream graphs (RTT, throughput, Stevens, and tcptrace) in this release is a TCP window scale graph. The name is a bit misleading: the TCP window scale actually remains static for the duration of a TCP session. What is being graphed is the calculated TCP window size (a far more useful attribute) over the duration of a TCP connection.

The TCP window graph for a TCP session can be opened under Statistics > TCP Stream Graphs > Window Scaling Graph after selecting a TCP packet in the capture. Note that TCP windows are unidirectional; be sure to select a packet from the desired direction of the TCP session.

window_graph.png

Posted in Packet Analysis

Comments

Daniel
January 31, 2011 at 7:24 a.m. UTC

Nice.

I would definately like to learn more about Wireshark, maybe take the certification some day but need to take care of the CCIE first.

stretch
January 31, 2011 at 3:04 p.m. UTC

You definitely don't need pursue a certification to learn Wireshark. Just read the manual and start using it.

Daniel
January 31, 2011 at 7:22 p.m. UTC

Yeah, I already use it and I know the basic functions but there's always more to learn. Not only the program but do some studying of protocols in depth.

herve
February 1, 2011 at 10:31 a.m. UTC

Great,
I tested with my personal libcap but I do not have rising stages (FTP, netbios, SCP ...) Could you post a link to an pcap file to try this feature ?

Thank you

joshlowe
February 1, 2011 at 6:36 p.m. UTC

@herve: Did you try the Packet Captures section of the website?

http://packetlife.net/captures/

I bet there's something there you can use.

guest
February 2, 2011 at 5:17 p.m. UTC

Knowing the protocols in depth and how to use a protocol analyzer should be a CCIE requirement. It would be a shame to be that knowledgeable about routing and switching without knowing in depth what you are routing and switching..

Nels
February 3, 2011 at 3:30 a.m. UTC

The Wireshark Network Analysis book by Laura Chappell is an excellent reference and way to learn to use Wireshark.

sofy
February 8, 2011 at 7:32 a.m. UTC

can you help me?
how to read a throughput graph??

TheAfroTech
February 12, 2011 at 1:17 a.m. UTC

Thanks Stretch:-)

I have been a longtime Wireshark users, and I will take your update anyday over their release note.

Thanks for the illumidate :-D

Comments have closed for this article due to its age.