In my previous blog, I explained Wireshark, Its installation, and how to use it. Now we’ll go a bit more deep into Wireshark and see how to read the captured packets. So Wireshark tries to help you identify packet types by applying common-sense color coding.
| Color in Wireshark | Packet Type |
| Light purple | TCP |
| Light blue | UDP |
| Black | Packets with errors |
| Light green | HTTP traffic |
| Light yellow | Windows-specific traffic, including Server Message Blocks (SMB) and NetBIOS |
| Dark yellow | Routing |
| Dark gray | TCP SYN, FIN and ACK traffic |
The default coloring scheme is shown below figure. You can view this by going to View >> Coloring Rules.
We can even change the defaults or apply a custom rule. If you don’t want any coloring at all, go to View, then click Colorize Packet List. It’s a toggle, so if you want the coloring back, simply go back and click Colorize Packet List again. It’s possible, even, to colorize specific conversations between computers.
Wireshark I/O Statistics
In Wireshark, we are not limited to just interpreting packets by colors. It is also possible to view the input/output statistics of an entire packet capture. For this in Wireshark, just go to statistics >> I/O graph, and there we can see a graph like shown below:
The above graph is showing typical traffic generated by a home office. The spikes in the graph are bursts of traffic that were caused by generating a Distributed Denial of Service (DDoS) attack using a few Linux systems. In this case, three major traffic bursts were generated. Many times, cybersecurity pros use Wireshark as a quick and dirty way to identify traffic bursts during attacks. It’s also possible to capture the amount of traffic generated between one system and another. If you go to Statistics and then select Conversations, you will see a summary of conversations between endpoints, as shown below:
In some cases, it is even possible to use Wireshark to identify the geographic location of the source and destination traffic. If you click on the Map button at the bottom of the screen (shown in Figure 9 above), Wireshark will show you a map, providing its best guess of the location of the IP addresses you’ve identified.
We know that IPv4 addresses can be easily spoofed, you can’t rely completely on this geographical information. But it can be fairly accurate.
For the Wireshark introduction, you can read my blog on Wireshark installation and how to use it here.
