This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Need some help - newbie

0

Hi all, I'm a student at the moment and trying to learn wireshark and can't seem to get to grips with it, I have been asked if I can get info off a capture and I'm struggling to find the filters. Can anyone help me with a link to learn all this. I wouldn't normally ask but I've googled this and watched you tube videos and the stuff I have to get out of wireshark isn't in it and we never got any lessons on it.

asked 02 Dec '16, 15:19

Confusedguy's gravatar image

Confusedguy
6113
accept rate: 0%

edited 03 Dec '16, 03:02

You need to be more precise on what the 'stuff you have to get out of wireshark' is.

Learning 'wireshark' has some prerequisites: For example having a basic knowledge of the protocols you are interested in seeing.

As there are thousands that could possibly be present we need to know what you have been asked to get out of the capture in order to provide you some help on filtering.

(03 Dec '16, 11:28) mrEEde

We have to learn to look for configuration of devices, sequence of notable ‘events’.  Incorrect configuratio, Network faults, unusual activity. I don't even know where to start.

(03 Dec '16, 11:59) Confusedguy

One Answer:

0

"We have to learn to look for configuration of devices, sequence of notable ‘events’. Incorrect configuration, Network faults, unusual activity. I don't even know where to start."

Well, a good start is probably using the display filter _ws.expert.severity gt "Chat"
that gives you all packets that wireshark flagged as suspicious.

Regards Matthias

answered 04 Dec '16, 03:42

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

Thank you very much, it has shown 5 and some are black with red writing and some are red with yellow writing and one is blue. How would I be able to see the configuration of the devices?

(04 Dec '16, 06:09) Confusedguy

Well, you certainly will not see the 'configuration' of the 'devices' in the trace. You need to spot what is unusual behaviour, compare it to what you'd expect to see in optimized configurations and draw your conclusions based on what you see in the trace. This requires a lot of experience (years) and is certainly impossible for a newbie to do. . You might get better answers if you provide the capture file in a public space like dropbox etc. But I guess the point of your teacher is not to get this (homework ?) done by others for you .

Sorry but this type of education is not something that can be done using this Q&A site Regards Matthias

(04 Dec '16, 06:54) mrEEde