sation, is a window showing the ASCII decode of the payloads from all of the frames.
You can see this in
Figure 2-5
. Wireshark also color-codes the output. Red is the cli‐
ent
messages, and blue is the server messages. You will also get a brief summary at the
bottom of the window indicating how much of the conversation was the client’s and
how much was the server’s.
Figure 2-5. Follow TCP stream output
Wireshark has the same filtering capabilities that we had with
tcpdump
.
In the case of
Wireshark, we can apply the filter as a capture filter, meaning we will capture only
packets that match the filter, or we can apply the filter as a
display filter to be applied
to packets already captured. Wireshark will provide a lot of help when it comes to
filtering. When you start typing in the filter box at the top of the screen, Wireshark
will start trying to autocomplete. It will also indicate whether
you have a valid filter
by color-coding the box red when you have an invalid filter, and green when it’s valid.
Wireshark has the ability to get to about every field or property of the protocols it
knows about. As an example, we could filter on the type
of HTTP response code that
was seen. This may be valuable if you generated an error and you want to look at the
conversation that led to the error.
66 | Chapter 2: Network Security Testing Basics
Wireshark will also do a lot of analysis for us. As an example, when we were frag‐
menting
packets earlier using
fragroute
, Wireshark would have colored frames that
weren’t right. If a packet’s checksum didn’t match, for instance, the frames belonging
to that packet would have been colored black. Any error
in the protocol where the
packet is malformed would result in a frame that was colored red. Similarly, TCP
resets will get a frame colored red. A warning would be colored yellow and may result
from an application generating an unusual error code. You may also see yellow if
there are connection problems. If
you want to save a little time, you can use the Ana‐
lyze menu and select Expert Info to see the entire list of frames that have been flag‐
ged. You can see a sample of this view in
Figure 2-6
.
Figure 2-6. Expert information output
Wireshark has so many capabilities; we aren’t even skimming
the surface of what it
can do. A lot of what you may find it useful for is just to see the headers for each
protocol broken out in a way that you can easily read them. This will help you see
what is happening if you run into issues with your testing. One other feature I should
mention is the statistics menu. Wireshark will provide graphs
and different views of
