wireshark-doc 2.0.2+ga16e22e-1 / usr / share / doc / wireshark-doc / wsug_html_chunked / ChAdvExpert.html

This file is indexed.

/usr/share/doc/wireshark-doc/wsug_html_chunked/ChAdvExpert.html is in wireshark-doc 2.0.2+ga16e22e-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>7.3. Expert Information</title><link rel="stylesheet" type="text/css" href="ws.css"><meta name="generator" content="DocBook XSL Stylesheets V1.79.1"><link rel="home" href="index.html" title="Wireshark User Guide"><link rel="up" href="ChapterAdvanced.html" title="Chapter 7. Advanced Topics"><link rel="prev" href="ChAdvFollowTCPSection.html" title="7.2. Following TCP streams"><link rel="next" href="ChAdvTimestamps.html" title="7.4. Time Stamps"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">7.3. Expert Information</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ChAdvFollowTCPSection.html">Prev</a> </td><th width="60%" align="center">Chapter 7. Advanced Topics</th><td width="20%" align="right"> <a accesskey="n" href="ChAdvTimestamps.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ChAdvExpert"></a>7.3. Expert Information</h2></div></div></div><p>The expert infos is a kind of log of the anomalies found by Wireshark in a
capture file.</p><p>The general idea behind the following &#8220;Expert Info&#8221; is to have a better
display of &#8220;uncommon&#8221; or just notable network behaviour. This way, both novice
and expert users will hopefully find probable network problems a lot faster,
compared to scanning the packet list &#8220;manually&#8221; .</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Warning: Expert infos are only a hint"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Warning]" src="wsug_graphics/warning.svg"></td><th align="left">Expert infos are only a hint</th></tr><tr><td align="left" valign="top"><p>Take expert infos as a hint what&#8217;s worth looking at, but not more. For example,
the absence of expert infos doesn&#8217;t necessarily mean everything is OK.</p></td></tr></table></div><p>The amount of expert infos largely depends on the protocol being used. While
some common protocols like TCP/IP will show detailed expert infos, most other
protocols currently won&#8217;t show any expert infos at all.</p><p>The following will first describe the components of a single expert info, then
the User Interface.</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="ChAdvExpertInfoEntries"></a>7.3.1. Expert Info Entries</h3></div></div></div><p>Each expert info will contain the following things which will be described in
detail below.</p><div class="table"><a name="ChAdvTabExpertInfoEntries"></a><p class="title"><b>Table 7.1. Some example expert infos</b></p><div class="table-contents"><table class="table" summary="Some example expert infos" border="1"><colgroup><col class="col_1"><col class="col_2"><col class="col_3"><col class="col_4"><col class="col_5"></colgroup><thead><tr><th align="left" valign="top">Packet #</th><th align="left" valign="top">Severity</th><th align="left" valign="top">Group</th><th align="left" valign="top">Protocol</th><th align="left" valign="top">Summary</th></tr></thead><tbody><tr><td align="left" valign="top"><p>1</p></td><td align="left" valign="top"><p>Note</p></td><td align="left" valign="top"><p>Sequence</p></td><td align="left" valign="top"><p>TCP</p></td><td align="left" valign="top"><p>Duplicate ACK (#1)</p></td></tr><tr><td align="left" valign="top"><p>2</p></td><td align="left" valign="top"><p>Chat</p></td><td align="left" valign="top"><p>Sequence</p></td><td align="left" valign="top"><p>TCP</p></td><td align="left" valign="top"><p>Connection reset (RST)</p></td></tr><tr><td align="left" valign="top"><p>8</p></td><td align="left" valign="top"><p>Note</p></td><td align="left" valign="top"><p>Sequence</p></td><td align="left" valign="top"><p>TCP</p></td><td align="left" valign="top"><p>Keep-Alive</p></td></tr><tr><td align="left" valign="top"><p>9</p></td><td align="left" valign="top"><p>Warn</p></td><td align="left" valign="top"><p>Sequence</p></td><td align="left" valign="top"><p>TCP</p></td><td align="left" valign="top"><p>Fast retransmission (suspected)</p></td></tr></tbody></table></div></div><br class="table-break"><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="ChAdvExpertSeverity"></a>7.3.1.1. Severity</h4></div></div></div><p>Every expert info has a specific severity level. The following severity levels
are used, in parentheses are the colors in which the items will be marked in the
GUI:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<span class="emphasis"><em>Chat (grey)</em></span>: information about usual workflow, e.g. a TCP packet with the
  SYN flag set
</li><li class="listitem">
<span class="emphasis"><em>Note (cyan)</em></span>: notable things, e.g. an application returned an &#8220;usual&#8221;
  error code like HTTP 404
</li><li class="listitem">
<span class="emphasis"><em>Warn (yellow)</em></span>: warning, e.g. application returned an &#8220;unusual&#8221; error
  code like a connection problem
</li><li class="listitem">
<span class="emphasis"><em>Error (red)</em></span>: serious problem, e.g. [Malformed Packet]
</li></ul></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="ChAdvExpertGroup"></a>7.3.1.2. Group</h4></div></div></div><p>There are some common groups of expert infos. The following are currently implemented:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
<span class="emphasis"><em>Checksum</em></span>: a checksum was invalid
</li><li class="listitem">
<span class="emphasis"><em>Sequence</em></span>: protocol sequence suspicious, e.g. sequence wasn&#8217;t continuous or
  a retransmission was detected or &#8230;
</li><li class="listitem">
<span class="emphasis"><em>Response Code</em></span>: problem with application response code, e.g. HTTP 404 page
  not found
</li><li class="listitem">
<span class="emphasis"><em>Request Code</em></span>: an application request (e.g. File Handle == x), usually Chat
  level
</li><li class="listitem">
<span class="emphasis"><em>Undecoded</em></span>: dissector incomplete or data can&#8217;t be decoded for other reasons
</li><li class="listitem">
<span class="emphasis"><em>Reassemble</em></span>: problems while reassembling, e.g. not all fragments were
  available or an exception happened while reassembling
</li><li class="listitem">
<span class="emphasis"><em>Protocol</em></span>: violation of protocol specs (e.g. invalid field values or
  illegal lengths), dissection of this packet is probably continued
</li><li class="listitem">
<span class="emphasis"><em>Malformed</em></span>: malformed packet or dissector has a bug, dissection of this
  packet aborted
</li><li class="listitem">
<span class="emphasis"><em>Debug</em></span>: debugging (should not occur in release versions)
</li></ul></div><p>It&#8217;s possible that more groups will be added in the future.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="ChAdvExpertProtocol"></a>7.3.1.3. Protocol</h4></div></div></div><p>The protocol in which the expert info was caused.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="ChAdvExpertSummary"></a>7.3.1.4. Summary</h4></div></div></div><p>Each expert info will also have a short additional text with some further explanation.</p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="ChAdvExpertDialog"></a>7.3.2. &#8220;Expert Info&#8221; dialog</h3></div></div></div><p>You can open the expert info dialog by selecting <span class="guimenu">Analyze</span> &#8594; <span class="guimenuitem">Expert Info</span>.</p><div class="figure"><a name="idp72349904"></a><p class="title"><b>Figure 7.2. The &#8220;Expert Info&#8221; dialog box</b></p><div class="figure-contents"><div class="mediaobject"><img src="wsug_graphics/ws-expert-infos.png" alt="wsug_graphics/ws-expert-infos.png"></div></div></div><br class="figure-break"><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="ChAdvExpertDialogTabs"></a>7.3.2.1. Errors / Warnings / Notes / Chats tabs</h4></div></div></div><p>An easy and quick way to find the most interesting infos (rather than using the
Details tab), is to have a look at the separate tabs for each severity level. As
the tab label also contains the number of existing entries, it&#8217;s easy to find
the tab with the most important entries.</p><p>There are usually a lot of identical expert infos only differing in the packet
number. These identical infos will be combined into a single line - with a count
column showing how often they appeared in the capture file. Clicking on the plus
sign shows the individual packet numbers in a tree view.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="ChAdvExpertDialogDetails"></a>7.3.2.2. Details tab</h4></div></div></div><p>The Details tab provides the expert infos in a &#8220;log like&#8221; view, each entry on
its own line (much like the packet list). As the amount of expert infos for a
capture file can easily become very large, getting an idea of the interesting
infos with this view can take quite a while. The advantage of this tab is to
have all entries in the sequence as they appeared, this is sometimes a help to
pinpoint problems.</p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="ChAdvExpertColorizedTree"></a>7.3.3. &#8220;Colorized&#8221; Protocol Details Tree</h3></div></div></div><div class="figure"><a name="idp72359504"></a><p class="title"><b>Figure 7.3. The &#8220;Colorized&#8221; protocol details tree</b></p><div class="figure-contents"><div class="mediaobject"><img src="wsug_graphics/ws-expert-colored-tree.png" alt="wsug_graphics/ws-expert-colored-tree.png"></div></div></div><br class="figure-break"><p>The protocol field causing an expert info is colorized, e.g. uses a cyan
background for a note severity level. This color is propagated to the toplevel
protocol item in the tree, so it&#8217;s easy to find the field that caused the expert
info.</p><p>For the example screenshot above, the IP &#8220;Time to live&#8221; value is very low
(only 1), so the corresponding protocol field is marked with a cyan background.
To easier find that item in the packet tree, the IP protocol toplevel item is
marked cyan as well.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="ChAdvExpertColumn"></a>7.3.4. &#8220;Expert&#8221; Packet List Column (optional)</h3></div></div></div><div class="figure"><a name="idp72365472"></a><p class="title"><b>Figure 7.4. The &#8220;Expert&#8221; packet list column</b></p><div class="figure-contents"><div class="mediaobject"><img src="wsug_graphics/ws-expert-column.png" alt="wsug_graphics/ws-expert-column.png"></div></div></div><br class="figure-break"><p>An optional &#8220;Expert Info Severity&#8221; packet list column is available that
displays the most significant severity of a packet or stays empty if everything
seems OK. This column is not displayed by default but can be easily added using
the Preferences Columns page described in <a class="xref" href="ChCustPreferencesSection.html" title="10.5. Preferences">Section 10.5, &#8220;Preferences&#8221;</a>.</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ChAdvFollowTCPSection.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="ChapterAdvanced.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="ChAdvTimestamps.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">7.2. Following TCP streams </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 7.4. Time Stamps</td></tr></table></div></body></html>

APT Browse - Built by Thomas Orozco.