Author Profile - Chris Greer is a Senior Network Analyst for Network Protocol Specialists, a Seattle based Network Consulting company. Chris has 10 years of experience in analyzing and troubleshooting networks. He regularly assists companies in tracking down the source of network and application performance problems using a variety of protocol analysis and monitoring tools including Wireshark. When he isn’t hunting down problems at the packet level, he can be found teaching various analysis workshops at Interop and other industry trade shows. Chris also delivers Fluke Networks public courses and protocol analysis themed webcasts. He can be contacted at chris (at) nps-llc (dot) com.
Chris’ Wireshark Quick Tip: Adding columns helps to resolve problems faster.
What are the best columns to display?
Wireshark allows us to easily display specific packet data in the summary view. Depending on the problem we are looking for, it may be useful to add or remove custom columns so we only see information that will really help us solve the problem. For example, it’s not always useful to display the IP identification number for every packet in the trace file as a column on the top of the screen. But, one thing that is quite useful to display for most problems is the size of each packet. This article will briefly show how to add useful columns, as well as recommend which ones we most commonly use.
How to add and remove columns.
Open up any trace file in Wireshark. At first, in the top screen, you will see a frame number, a time column (usually elapsed time from the start of the capture), source and destination addresses, what protocol is used, and finally a summary of what the packet contains. While this data is great to start out with, it won’t take long before adding a column of specific data will help.
To add a column, select Edit | Preferences. This will bring up the Preferences window where Columns can be selected from the left. The default columns will be displayed here. To add a column, click the Add button and select the desired information to add from the format menu. Name the column and then you are done.
For example, to add the packet length, select add, name the column Length, then select Packet Length from the Format Bar. By default, it will be added at the bottom of the list, which will make it appear on the far right of the summary view. To move it up, just drag and drop it up where it can be more easily seen, such as between the destination and protocol fields.
After adding the column, click the apply button and the length of the packet will now be displayed in the summary view of Wireshark.
What are the most useful columns?
This of course depends on what problem you are trying to resolve. Here are the ones I use with a description of why:
- Delta Time - Handy to have in just about any situation. It is needed for measuring server response time, network roundtrip time, and other delays. Delta time can be displayed by modifying the already present time column in the View menu, or by adding delta time as its own column.
- Cumulative Bytes – When moving large blocks of data, this column displays how much data has been sent. You can then divide by the time it took to send it and figure out the throughput used by the application.
- TCP Window Size – Useful when TCP Window size is an issue, usually in larger file transfers. It can be added by selecting Custom from the column menu, then entering tcp.window_size in the field name. This column will show when and how often the TCP window drops, without needing to dig for this value in the packet details.
- IP TOS (DiffSrv) – When monitoring traffic using the TOS field, such as VoIP, this column is helpful in viewing what bits are set and if QoS is configured for this value. It can be added selecting the IP DSCP Value option.
In this data copy, after filtering on one direction of traffic and resetting the timers, we find that in .022 seconds, there was 193,220 bytes sent. (193,200 x 8)/.022 = Bitrate. This transfer took up 70Mbps of my line. Very useful when looking at backups!
Using these columns makes it easier to spot problems in the summary view. They save you from needing to dig deep into every packet for a specific field, which saves a ton of time when troubleshooting! Feel free to add a comment below about your favorite time-saving custom columns when using Wireshark.
Stay tuned to LoveMyTool for more Wireshark Quick Tips.
Continue reading other LoveMyTool posts by Chris Greer »
Recent Comments