The packet list pane displays all the packets in the current capture file.
Each line in the packet list corresponds to one packet in the capture file. If you select a line in this pane, more details will be displayed in the “Packet Details” and “Packet Bytes” panes.
While dissecting a packet, Wireshark will place information from the protocol dissectors into the columns. As higher level protocols might overwrite information from lower levels, you will typically see the information from the highest possible level only.
For example, let’s look at a packet containing TCP inside IP inside an Ethernet packet. The Ethernet dissector will write its data (such as the Ethernet addresses), the IP dissector will overwrite this by its own (such as the IP addresses), the TCP dissector will overwrite the IP information, and so on.
There are a lot of different columns available. Which columns are displayed can be selected by preference settings, see Section 10.5, “Preferences”.
The default columns will show:
- No. The number of the packet in the capture file. This number won’t change, even if a display filter is used.
- Time The timestamp of the packet. The presentation format of this timestamp can be changed, see Section 6.12, “Time display formats and time references”.
- Source The address where this packet is coming from.
- Destination The address where this packet is going to.
- Protocol The protocol name in a short (perhaps abbreviated) version.
- Length The length of each packet.
- Info Additional information about the packet content.
The first column shows how each packet is related to the selected packet. For example, in the image above the first packet is selected, which is a DNS request. Wireshark shows a rightward arrow for the request itself, followed by a leftward arrow for the response in packet 2. Why is there a dashed line? There are more DNS packets further down that use the same port numbers. Wireshark treats them as belonging to the same conversation and draws a line connecting them.
Table 3.15. Related packet symbols
|
|
First packet in a conversation. |
|
|
Part of the selected conversation. |
|
|
Not part of the selected conversation. |
|
|
Last packet in a conversation. |
|
|
Request. |
|
|
Response. |
|
|
The selected packet acknowledges this packet. |
|
|
The selected packet is a duplicate acknowledgement of this packet. |
|
|
The selected packet is related to this packet in some other way, e.g. as part of reassembly. |
The packet list has an Intelligent Scrollbar which shows a miniature map of nearby packets. Each raster line of the scrollbar corresponds to a single packet, so the number of packets shown in the map depends on your physical display and the height of the packet list. A tall packet list on a high-resolution (“Retina”) display will show you quite a few packets. In the image above the scrollbar shows the status of more than 500 packets along with the 15 shown in the packet list itself.
Right clicking will show a context menu, described in Figure 6.4, “Pop-up menu of the “Packet List” pane”.