Adding columns to Wireshark
By stretch | Friday, June 27, 2008 at 12:55 a.m. UTC
Wireshark is probably my favorite networking tool. Its value in troubleshooting the most peculiar network issues cannot be overstated, as it allows the engineer to analyze virtually every bit to traverse the wire. However, not many people realize its functionality can be customized to suite its operator's preference or situation.
One of my favorite modifications is to add columns to the list pane, to provide quick access to statistics and packet attributes only otherwise available in the individual packet details. In addition to the default columns listing packet number, protocol, source and destination addresses, and so forth, Wireshark supports a plethora of other helpful details. Some of my favorites:
- 802.1Q VLAN ID
- Delta time (the time between captured packets)
- Frame relay DLCI
- Packet length
Consider the following capture of an OSPF adjacency being formed:
From the list view, it's not readily apparent which packets consume the most bandwidth. To add a packet length column, navigate to Edit > Preferences and select User Interface > Columns. Click New, and define the column's title. From the Format list, select Packet length (bytes). Use the up and down arrows to position the column in the list.
Click OK and the list view should now display each packet's length listed in the new column.
Posted in Tips and Tricks
June 28, 2008 at 10:13 p.m. UTC
This is one of my favourite modifications that I always setup in Wireshark.
Working in a VoIP environment I always add the dot1q and DSCP columns as it makes troubleshooting QoS problems a bit quicker.
November 3, 2008 at 3:53 p.m. UTC
I would like to add a couple of columns in wireshark containing contents of particular fields of the packets, i.e. wlan.flags. However, there seems that this option is not available in the drop down list. Do you have any ideas of customizing column content?
I work on Ubuntu 8.04(on Centrino laptop), wireshark v. 1.0.4
January 19, 2009 at 12:51 p.m. UTC
You can select 'Custom' from the drop-down and then enter the field that you need. :-)
April 7, 2009 at 6:26 p.m. UTC
do as Tasos pointed out, then find out the related Display Filter Reference, from http://www.wireshark.org/docs/dfref/, and insert it into the empty tab next to the format tab in preference
June 11, 2009 at 12:48 p.m. UTC
Thank you very much for this. You have shown that it not necessary to decode the raw binary output file in order to get access to required data.
August 20, 2009 at 10:31 a.m. UTC
How come some of the "Formats" don't work for me...Like for instance, "IEEE 802.11 RSSI"...I'm working on an ad-hoc network, sending RTP packets between devices and would like to read such an approximation of the received signal on the adapter...but it will not show any value... Should I be in "monitor" mode for that?
June 26, 2012 at 11:17 a.m. UTC
I am Using WireShark to analyse Diameter protocol traces. I have customized wireshark columns according to my need, Problem is in diameter protocol we have some fields which are multiple occurring with different values, like CC-Time filed come under different AVP(Attribute value pair). How can i set dedicated CC-time columns for different CC-Time values under different AVP's
When i does custom option in Add columns, i get only diameter.CC-time restricting me to add only one column.
Thanx in advance.