This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark capture packet color

0

I have a bunch of Apple devices and a TI CC3000 WiFi module. I made the TI device an mDNS advertiser. When I capture packets with Wireshark, I see the mDNS packets from TI are blue color (UDP color code), all other mDNS packets from other devices are Red with white text (TTL low or unexpected).

Using mDNS Watcher app, I can see all Bonjour supported devices but not the TI device. Is this color code telling me something that I am missing?

asked 08 Jul '14, 15:29

lilyhack's gravatar image

lilyhack
11223
accept rate: 0%

One Answer:

0

O.K. the color rule for "TTL low or unexpected" is this

@TTL low or [email protected]( ! ip.dst == 224.0.0.0/4 && ip.ttl < 5 && !pim) || (ip.dst == 224.0.0.0/24 && ip.dst != 224.0.0.251 && ip.ttl != 1 && !(vrrp || carp))@[42148,0,0][60652,61680,60395]

So, the matching rule could be

ip.dst == 224.0.0.0/24 && ip.dst != 224.0.0.251 && ip.ttl != 1 && !(vrrp || carp)

So, the destination address of the mDNS traffic is probably not 224.0.0.251. Is that right? If so, that could explain why you don't see the TI device with your mDNS Watcher app.

Regards
Kurt

answered 08 Jul '14, 17:39

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 08 Jul '14, 17:44

no, the destination address for all the mDNS traffic (including TI) is 224.0.0.251

(08 Jul '14, 17:45) lilyhack

can you post a sample capture file on https://appliance.cloudshark.org/upload/ (or google drive or dropbox)? One frame that is marked like that, should be O.K.

EDIT: Please also add another frame (marked differently) as well!

(08 Jul '14, 17:47) Kurt Knochner ♦

Here it is https://www.cloudshark.org/captures/d72b612860b5 I have mDNS packets only of those two types (blue & red)

(08 Jul '14, 18:14) lilyhack

Although cloudshark.org shows the red coloring for frames 354, 355, etc. this is not the case with my installation of Wireshark, which is the latest development build on Windows 7 x64 (Version 1.12.0-rc2-125-g8a47b3a (v1.12.0-rc2-125-g8a47b3a from master-1.12).

The only difference between the marked and unmarked frames is the TTL.

unmarked: 1
marked: 255

Based on the coloring rule (see my answer) and the TTL in the marked frames (255), they do not deserve the 'Low TTL or unexpected' coloring.

So, I believe this is a bug of the Wireshark version you are using (and probably also cloudshark.org).

Pleas upgrade your Wireshark version and the (pseudo) problem should go away.

(09 Jul '14, 01:20) Kurt Knochner ♦

I am using the latest release build 1.10.8. Upgrade to development version 1.12 resolves the color issue. Thanks.

(09 Jul '14, 10:27) lilyhack

Good.

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).

(09 Jul '14, 10:33) Kurt Knochner ♦
showing 5 of 6 show 1 more comments