Lab 1 (Wireshark 1.8.2)
(Read this page at home or in class if time permits.)
Wireshark is an open source project resulting from the combined efforts of hundreds of programmers over a
period of more than 10 years. Software, manuals and FAQs can all be downloaded for free.
Unfortunately, the manuals and FAQs haven't always kept up with the latest changes to the interface.
Furthermore, as new methods for accomplishing certain tasks have been added, support for the older
methods still remains. This combination of outdated documentation and inconsistent functionality can make
it difficult to master the operation of Wireshark.
For example, Wireshark uses two different filtering languages - the syntax for writing capture filters differs
from the syntax for writing display filters. Some syntax rules are supported by both filter types, while other
syntax rules are unique to one filter or the other.
The Wireshark interface can be confusing in that while there are only a few configuration dialog boxes that
the average user needs to be concerned with, there are multiple entry points for each of these boxes. In
other words, dialog boxes can often be accessed by more than one toolbar button and by multiple menu
selections. (Menu selections which have corresponding toolbuttons display the toolbutton icon to the left of
the menu entry.)
Wireshark is not always clear on the distinction between global and local scope for some settings. Changing
a setting in one dialog box will usually, but not always, change the same setting in other dialog boxes.
Changes to a setting do not always stick. Sometimes, a setting will only stick if a capture is started
immediately after changing a setting AND the capture actually captures at least one packet. If the capture is
stopped before the first packet is captured, then the setting may revert to it's previous state.
Also, changes made by clicking only the "Apply" button will only be in effect for the current instance of
Wireshark. When Wireshark is restarted, the settings will revert back to their original value. To make a
change permanent, the "Save" button must also be clicked. Also, one must be sure to close a dialog box by
clicking "OK" and not the titlebar's "X" close button.
In general, one should concentrate on the following sections in the Wireshark User Guide (v1.9):
Chapters 3.16 - 3.21; 4.1 - 4.6, 4.13 - 4.14; 6; 7.1 - 7.2, 7.4, 7.7
Screen shots and descriptions of suggested settings for dialog boxes which the average user needs to be
concerned with are given on the following pages. In general, match the preference settings for your
installation of Wireshark with those shown in the following screen shots.
Note: Wireshark can be used to display capture files saved by other packet sniffers, not just those
generated by Wireshark itself.
Lab 1 (Wireshark 1.8.2) - Wireshark Configuration 1/15 Gnall
Perform of all the settings in this lab without a live capture running.
Settings can be modified and applied to the Wireshark interface whether a live capture is running or not.
Also, a live capture can be started while the Preferences dialog box is still open.
If changes are made from either the menu, toolbar or Preferences dialog box while a live capture is running,
then the changes will usually be immediately visible in the display window. However, if Wireshark is busy
processing too many packets, it may hang when trying to update it's display in response to a change in the
Lab 1 (Wireshark 1.8.2) - Wireshark Configuration 2/15 Gnall
(Note, letting the mouse hover over most options will cause a tooltip to appear.)
Edit Menu…Preferences…User Interface
Save window position - CHECK
Ask for unsaved capture files - UNCHECK
If this is checked, then when closing a live capture which has been stopped, Wireshark will ask if the
captured data should be saved to a file. Since we won't be saving data, leave this unchecked.
Settings dialogs show a save button - CHECK
If a Wireshark Preference setting is changed, followed by a click of the Apply button, then the new
setting will revert back to it's original value when Wireshark is restarted. To preserve the changed
settings from run to run, the Save button must be clicked after making any changes.
Changes made by clicking the "Apply" button will only be in
effect for the current instance of Wireshark. When
The "Save" button will appear
Wireshark is restarted, the settings will revert back to their
original value. To make a change permanent, the "Save"
button must also be clicked. Also, be sure to close a dialog
box by clicking "OK" and not the titlebar's "X" close button.
Lab 1 (Wireshark 1.8.2) - Wireshark Configuration 3/15 Gnall
Packet List Time Column (chapter 3.7, 6.11, 7.4)
Edit Menu…Preferences…User Interface…Columns…Time
If Time (format as specified) is selected in the Format drop down box, then the time format can be set via
the menu bar, as shown in the screenshot on the next page:
Lab 1 (Wireshark 1.8.2) - Wireshark Configuration 4/15 Gnall
View Menu…Time Display Format…
I recommend choosing "Time of
Day", which will display the system
time. This will facilitate correlating
network events with the packets as
they appear in Wireshark.
I usually set the precision level to
whole seconds, as Windows tool
tray clocks do not display fractional
seconds. However, occasionally the
Deciseconds level will be useful for
some labs, such as timing short
Lab 1 (Wireshark 1.8.2) - Wireshark Configuration 5/15 Gnall
Packet List Source and Destination Columns and Name Resolution
Which information appears in the Source and Destination columns in the Packet List pane and how that
information is formatted is determined by two separate preference settings:
1) Edit Menu…Preferences…User Interface…Columns…Source/Destination
Set the Source column to display: Src addr (resolved)
Set the Destination column to display: Dest addr (resolved)
2) Edit Menu…Preferences…Name Resolution OR View…Name Resolution…
Uncheck "Enable network name resolution"
Uncheck "Enable concurrent DNS name resolution"
(32-bit Wireshark and 64-bit Wireshark have different versions of this dialog box.)
Both of these settings provide some control over whether MAC, IP and Port numbers will be resolved or not.
However, it is difficult to understand how these two settings work together to ultimately determine whether
an address is resolved or not. (For more information, see the Wireshark Lab 3 - Address Resolution in Detail)
Lab 1 (Wireshark 1.8.2) - Wireshark Configuration 6/15 Gnall
Name Resolution Settings Explained
(Read this page at home or in class if time permits.)
Enable MAC name resolution - CHECKED
If checked, Wireshark will employ up to three different techniques to try to resolve a MAC address into a
more human readable form. It will start with the first method listed below, then continue on to the
second and then the third if necessary.
1. ARP: Convert the MAC address into an IP address
2. Ethers File: If ARP fails, employ a user created file to convert the MAC address into a machine
3. Manuf File: If ARP and Ethers fail, use a file to convert the first three bytes of the MAC address
into the IEEE assigned manufacturers code.
Enable network name resolution - UNCHECKED
If checked, Wireshark first consults the operating system's host file for a name, and then issues a DNS
query. However, Wireshark may hang while waiting for a response from a DNS server, so this should be
Enable transport name resolution - CHECKED
If checked, Wireshark will try to resolve a port number into the corresponding protocol.
Enable concurrent DNS name resolution - UNCHECKED
Only has an effect if "Enable network name resolution" is checked.
Wireshark will issue multiple DNS queries in parallel, rather than sequentially.
(Need to research Wireshark ADNS library.)
Lab 1 (Wireshark 1.8.2) - Wireshark Configuration 7/15 Gnall
Font and Font Size
Edit Menu…Preferences…User Interface…Font
(Different fonts may be available on different operating systems.)
Verdana is an easier to read font than the default font - Lucida Console.
A smaller font size of 7 or 8 (default is 10) will allow a full line of capture data to fit more easily within the
The smaller font size set in the previous step will make it easier to squeeze more information into the width
of the Wireshark window.
For future reference, note that columns can be resized one-by-one by manually dragging the column
separators or by clicking the "Resize All Columns" toolbutton . This will minimize all of the column
widths at once.
Lab 1 (Wireshark 1.8.2) - Wireshark Configuration 8/15 Gnall
Edit Menu…Preferences…Capture (these options also appear in the Capture Options dialog box)
May be different on
different operating systems.
Capture packets in promiscuous mode - CHECKED
Checking Promiscuous Mode will instruct the NIC to NOT filter out packets based on their destination
MAC address. All packets hitting the NIC will be passed up the TCP/IP stack, and not just the packets
targeting/leaving the NIC which Wireshark is monitoring.
Capture packets in pcap-ng format - UNCHECKED
Update list of packets in real time - CHECKED
If unchecked, packets will not be displayed until the live capture has been stopped.
Automatic scrolling in live capture - CHECKED INITIALLY
If checked, old packets will scroll up in the Packet List pane, making room to display the most recently
captured packets at the bottom of the pane. Check according to preference.
This setting can also be toggled via the toolbar.
Hide capture info dialog - CHECKED
The Capture Info Dialog box is rarely used in class and is more annoying than useful, so it should be
hidden. It displays packet statistics for the more common protocols:
SCTP, TCP, UDP, ICMP, ARP, OSPF, GRE, NetBIOS, IPX, VINES, …
Lab 1 (Wireshark 1.8.2) - Wireshark Configuration 9/15 Gnall
Capture Settings - Default Interface
Wireshark may detect more than one network interface in the operating system in which it is installed. If
more than one network interface is present, then the default interface from which Wireshark captures
packets is usually not the adapter which one is interested in.
If Wireshark detects more than one interface, then follow the directions in this section to set the default
interface from which to capture packets.
The set of network interfaces which VMware automatically installs in a VM varies from one version of VMware
to another. For instance, older versions of VMware installed a dialup adapter:
Adapter for generic dialup and VPN capture: \Device\NPF_GenericDialupAdapter
Newer versions of VMware may install other interfaces.
As shown in the screenshot on the previous page, use the drop down box to set the VMware adapter as the
VMware Accelerated AMD PCNet Adapter (Microsoft's Packet Scheduler)
It is easy when using VMware to accidentally start a live capture with the wrong interface. The easiest way
to prevent this is to hide the interfaces which will never be used. This will prevent unwanted interfaces from
appearing in some dialog boxes, such as the Capture Interfaces or Capture Options dialog box.
Select the unwanted interface.
Check "Hide interface?" (at the bottom of the window)
NOTE: This option sometimes resets when Wireshark is shutdown and restarted. So always be careful to
select the correct interface when starting a capture.
Lab 1 (Wireshark 1.8.2) - Wireshark Configuration 10/15 Gnall
Hide the Packet Bytes Pane
The screenshot below shows a typical live capture.
Starting from the top, there are three display panes:
The bottom most Packet Bytes pane shown in the above screen shot will be of little use in this course and
can be hidden from view. Hiding the Packet Bytes Pane will allow more room for displaying the list of packets
and for displaying details about the contents of individual packets. Hide the Packet Bytes Pane to make
Wireshark look more like the screenshot below.
View Menu…Packet Bytes UNCHECKED
Lab 1 (Wireshark 1.8.2) - Wireshark Configuration 11/15 Gnall
If unwanted interfaces were successfully hidden, then you should see:
May be different on different
Lab 1 (Wireshark 1.8.2) - Wireshark Configuration 12/15 Gnall
Other settings are reflected in Capture Menu…Options…
Lab 1 (Wireshark 1.8.2) - Wireshark Configuration 13/15 Gnall
Main Toolbar - Most Frequently Used Buttons
Show some help…
List the Available Capture Interfaces…
Show the Capture Options… Edit Preferences…
Start a New Live Capture Edit/apply Display Filter…
Stop the Running Live Capture Edit Capture Filter…
Restart the Running Live Capture Resize All Columns
Close this Capture File Auto Scroll Packet List in Live Capture
Reload this Capture File
Go to the First Packet
Go to the Packet with Number…
Find a Packet…
Lab 1 (Wireshark 1.8.2) - Wireshark Configuration 14/15 Gnall
Start a Live Capture
Stop Running Live Capture
Restart the Running Live Capture
Close Capture File
Reload Capture File
Auto Scroll Packet List in Live Capture
Resize All Columns
With the exception of "Reload Capture File", all of the above toolbuttons have corresponding
Lab 1 (Wireshark 1.8.2) - Wireshark Configuration 15/15 Gnall