Review of Dualcomm 5-Port Pass-Through Port Mirroring Switch (by Betty DuBois)
Sunday Buzz: Integrity is What We Do (by Denny K Miu)

Colorize TCP Session Conversations (by Ray Tompkins)

RayGearbitAuthor Profile - Ray Tompkins is the Founder and CEO of Gearbit. Ray is a Senior Network Specialist with over 28 years experience in troubleshooting, design, and implementation. His background includes 911 emergency consulting, and identifying the root cause of critical network problems. His knowledge of network protocols (LAN, VoIP, WAN and WLAN) and how they work within the enterprise networks are the key in providing customer service though knowledge transfer and education.

Gearbit_logo_shad_small
Under the Hood - Colorize TCP Session Conversations

Welcome to Under the Hood, gearbit’s newsletter for customers and network analysts. This technical tip we’ll reviewing the use of the Colorize Conversation rule, that allows you see TCP conversation by highlighting. Really, anything to help us clarify the trace as we’re analyzing is a huge plus.

You can access the Colorize Conversation Rule in a couple of ways.

First way is through the Main Menu where you’ll find it listed under the View menu.
View>Colorize Conversation

Second is to select the packet, then right click, to bring up the Color Conversation rule.
Select Packet-Right Click>Colorize Conversation>Ethernet or IP or TCP

This is not to be confused with the Coloring Rule, that’s used to highlight a bit pattern or protocol, etc…. Look forward to a future article where we’ll take a look at several examples of how and when it can be used to speed up packet analysis.


In Figure 1:1 I’ve first used a Display filter to find the first packet of a TCP Session, buy using this display filter, (!(tcp.flags.ack == 1)) and (tcp.flags.syn == 1). This makes it easy to see all the TCP conversations.

A quick note, I just about always use the right click Prepare a Filter to build all of my Display Filters.

Now on to the Colorize Conversation rule. In the following examples, Figure 1:3 shows the packets highlighted in pink, showing a visual separated from all the other packets. With the packets now visible you can see the TCP conversation, but also see other network traffic that is occurring around and during this TCP session. Very help feature in Wireshark, thank you Gerald Comes and the Wireshark team!

In Figure 1:2 show how this is done, first selecting the View menu, and then the Colorize Conversation rule, along with the following menus that narrow down the conversation to the TCP Session.


Figure 1:1 TCP Sessions Displayed with TCP Flags Filter

TCP Flags SYN & Not ACK

Figure 1:2 Apply Colorize Conversation to TCP Session

Colorize Conversation for TCP Session
Figure 1:3 TCP Session Colorized  

TCP Conversation Colorized
 

image from http://www.lovemytool.com/.a/6a00e008d957708834012876eca0ad970c-75si

Continue reading other LoveMyTool posts by Ray Tompkins »

Comments