This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

My partner and I are opening the same capture file without filtering, but we both have different information displayed on the screen. What is happening?

asked 01 Jun '12, 11:50

TecnoSaenz's gravatar image

TecnoSaenz
1111
accept rate: 0%

edited 01 Jun '12, 12:26

multipleinterfaces's gravatar image

multipleinte...
1.3k152340

Are you both using the same version of Wireshark? Are your preferences set the same? What kind of differences are you seeing?

(01 Jun '12, 12:24) multipleinte...

There are a number of preference settings in Wireshark that can cause the information to be displayed differently. Some of the more common ones are:

If one of you has network name resolution on and the other one has it off, one of you will see DNS names and the other one will see IP addresses.

If one of you has transport name resolution on and the other one has it off, one of you will see TCP and UDP port names, the other one will see TCP and UDP port numbers.

If one of you has MAC name resolution on and the other one has it off, one of you will see the OUI portion of the MAC address as a friendly name, the other one will see only numerical MAC addresses.

If the two of you have your Time Display Format set differently, you will see different values in the Time column.

If one of you has added any custom columns, he will see information that the other one does not. If one of you has rearranged your display columns, he will see the information laid out differently.

If you have different settings for “Allow subdissector to reassemble TCP streams” the information will be presented differently.

If you have different coloring rules, your packets may be colored differently.

These are just a few. There are many preferences that can cause information to be displayed differently. If you’re both opening the same capture file, then you should both be seeing the same bits. It’s a matter of how the information is displayed.

As @multipleinterfaces asked, what differences are you seeing?

permanent link

answered 01 Jun '12, 13:59

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Maybe your local dns servers resolve ip addresses in the capture file to different names (RFC 1918 addresses). Disable name resolving and compare the results again.

Edit -> Preferences -> Name Resolution -> Enable network name resolution

Uncheck that option.

Regards
Kurt

permanent link

answered 01 Jun '12, 16:31

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 01 Jun '12, 16:36

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×31
×6

question asked: 01 Jun '12, 11:50

question was seen: 2,232 times

last updated: 01 Jun '12, 16:36

p​o​w​e​r​e​d by O​S​Q​A