Best tips for using Wireshark

Wireshark it is a powerful network capture package analysis tool, we are no stranger to him, may work every day, use it to troubleshoot, analyze the type of attack, etc., can quickly understand and find the problem.

TCP flow

In order to understand the working process of TCP Seq and Ack numbers throughout the TCP session, you can use Wireshark’s drawing stream function to select Statistics -> Flow Graph … -> TCP flow from the menu bar to automatically create a TCP flow The graphics.


Each row represents a packet, the left column shows the time, the middle column shows the direction of the packet, the TCP port, the packet’s load length, and the set flag. The right column shows the relevant Seq number/Ack number in decimal mode.


Wireshark defaults to the relative Seq number/Ack number, relative to the Seq number/Ack number is associated with the initial serial number of the TCP session. Compared to the real Seq number/Ack number, it is relatively easy to track a smaller relative Seq number/Ack number.

If you want to turn off the relative serial number / confirmation number, you can select Edit -> Preferences -> protocols -> TCP in the Wireshark menu bar, and do not check the Relative sequence number option.

Time display

Based on the time of a packet, the subsequent packet display is based on the time of the packet as a benchmark, which is often used to determine the response to the network delay, to determine whether the server or client or line delay Solve the problem of network speed. Sometimes packet loss is not caused by delay, when the communication between the two hosts is very slow, and there is no TCP retransmission or repeat ACK characteristics, then need to view the initial connection handshake and the next two packets. Displays the delay of the packet in relative time.

Protocol statistics hierarchical information

Use statistics -> protocol hierarchy statistics, which displays the tree branches of all the protocols that the package file contains. Packets usually contain many protocols, and many protocols are counted in each package. The End Packets, End Bytes, End Mbit / s columns are the statistics of the layer as the last layer in the packet capture. Percentage refers to the percentage of the same protocol layer.

Network session list

Network session is the data flow between two designated terminals, using statistics-> converstations statistical function analysis protocol, through the Conversations list, can see a lot of network problems.

Layer 3 IP statistics, IP session is the two IP addresses between all the data flow, observe the source ip and ip distribution of the target can know the ip address request message distribution, click on each column header can be sorted; also know that the package Size, byte size. Through the byte distribution, look at the packet attack or application layer attacks.

Layer 4 TCP or UDP statistics: look at the main tcp attack or udp data packets, this list mainly analyzes the number of tcp links, source port and destination port distribution is fixed or random. For example, each PC reasonable number of connections is 10 to 20, hundreds of is not normal.

The network endpoint list

Select Statistics -> Endpoints in the menu bar to analyze the pps and bps for the IP address, and the number of bytes and bytes of the addresses of each endpoint, the number of packets sent or received. A small number of IP terminal nodes and a large number of TCP terminal nodes: the possible situation is that each host has a lot of TCP connections, and then speculation may be a network attack.

IP address statistics list

Use Statistics-IP Statistics-IP addresss to analyze the sort and percentage of IP addresses

Summary statistics

Use statistics-summary to get the current packet size, byte size, pps or bps information to determine the size of the attack traffic.

Application layer packet analysis

Use statistics-http-packet counte, you can see http get and post packet distribution rules, found that most of the data is get.

The use of statistics-http-requests can see the distribution of the request url, found that the request of the url received in a very small url above the url, url with obvious features.