This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am a newbie with Wireshark using V2.2.1 on Windows x64. I am taking a CBT Nuggets course and cover the GUI section right now. The session shows the "Go to the previous packet" and "Go to the next packet" arrows icons following the history of packets examined during a session. But select packets 1, 10, 20, 30 and then using "Go to the previous packet" simply takes me from 30 to 29 instead of 20 the last packet I was viewing. Likewise next just takes me to 'packet+1'. I also tried the "next/previous packet in conversation" with the same result, though I expect that is for something other than simple browsing the packet list.

Any help would be appreciated.

BR, -Scott

asked 23 Jan '17, 07:57

spkay31's gravatar image

spkay31
6223
accept rate: 0%


This is to be expected for the QT version, that's exactly what those buttons do, move to the next or previous packet in the packet list.

If you have a display filter enabled then the buttons move to the next\previous displayed packet.

The next\previous conversation buttons are useful for some protocols that have "conversations" between the two endpoints and allow navigation between the packets in the conversation without having to set a display filter.

I think that a lot of the existing Wireshark courses and tutorials that are written around the legacy GTK interface might need to be updated as there are differences, mostly intentional.

permanent link

answered 23 Jan '17, 09:20

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 24 Jan '17, 04:12

Thanks for the help. I was asking specifically because the course I am taking is demonstrating GUI usage with an earlier version (I think 1.8.5) and the instructor was covering the utility of the "next" "previous" packet button when browsing manually through a large set of packets. So for instance he is showing looking at packet 1 then jumping to packet 15 and then 30 and using the "previous" "next" to hop back and forth between those three, indicating the packet viewing history is maintained (showing that in the course demo). I was assuming this must be a behavior that was either removed in the newer version or needs to be enabled via some properties settings in the GUI. Based on your reply this is simply how the "previous" "next" buttons work and no browsing history is remembered.

(23 Jan '17, 12:33) spkay31
1

@grahamb: I'm not sure this is correct - in Legacy GTK Wireshark, the next/previous behave exactly as @spkay31 says, jumping to the next/previously selected packet, not adjacent packets in the list.

Nobody needs an equivalent of up/down keys, but jumping in a "history list" of viewed packets makes sense. So I think this functionality is either broken (compared to GTK), or implemented differently (meaning, it's inconsistent to GTK)

(24 Jan '17, 01:35) Jasper ♦♦
1

So it does. The tooltips on the GTK buttons also refer to packet history, so not only is the functionality different, the labelling is as well, leading me to think the change was possibly intentional.

We also have buttons that go to the first and last packets that replicate "Home" and "End" functionality so toolbar button replication of functions also bound to keys isn't odd in itself.

I don't have time to look into the code at the moment, but the difference would imply the GTK version is maintaining a history list of packets visited, along with a pointer into the list that is moved when the buttons are clicked. This may be explicit code, or a property of the GTK list view, the latter is a more likely explanation of the differences.

If users would like to see the Qt version changed to replicate the GTK behaviour, then raising a bug on the Wireshark Bugzilla is the appropriate place if there isn't one already there.

I'll add an edit to my answer noting that I only tested the Qt version.

(24 Jan '17, 04:10) grahamb ♦

Thanks for following up with this reply. Good to know I didn't waste my time posting this question. I thought the functionality was both useful and probably involved enough code that I would be surprised if it was intentionally removed in a later version. When you are referring to GTK are you talking about earlier Wireshark implementation that was based on another toolkit (GTK) and later versions are now based on Qt? Do some people prefer to use to old GTK version due to changes introduced in the new GTK version?

(25 Jan '17, 08:22) spkay31
1

The original GUI for Wireshark was GTK for all platforms, for various reasons it was decided to move to Qt as blogged here.

The current status of work is that the Qt version is mostly complete, there are some bugs and things that haven't been implemented yet, and there are quite a few things that have been done differently (hopefully for the better). The Qt version will be the only version distributed on macOS and Windows for the next release (2.4), although you should still be able to build the GTK version if you wish. Some current development work for new UI features is likely to be only in the Qt version.

It would help enormously if every one who can tries the Qt version and reports any bugs found at the Wireshark Bugzilla.

(25 Jan '17, 09:47) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×248
×9
×2
×2

question asked: 23 Jan '17, 07:57

question was seen: 918 times

last updated: 25 Jan '17, 09:47

p​o​w​e​r​e​d by O​S​Q​A