上QQ阅读APP看书，第一时间看更新

Annotating and printing packets

In this section, we'll take a look at the following subtopics:

How to use the new annotation feature, also known as comments
How to find packets that have annotations, and there are multiple ways of doing so
How to print packets

Now, let's get some packets to work with. I'm going to start a quick capture.

To create comments for a packet capture, the entire capture itself, you can do so in the bottom left-hand corner of Wireshark. You see there are two icons down there: one's a circle icon called the expert information we'll get into in a future section, and there's a pencil with a packet capture icon. If you do a mouseover on a pencil icon, it'll say Open the Capture File Properties dialog:

Click on that and it will open up a pop-up window that gives you a bunch of different information for the capture itself. And there's a bottom section here that says File Comment, and here you can enter whatever sort of description you want for the entire packet capture. So maybe this is, Capture from the management PC to the server. Data appears slow.. Click on the Save Comments button, and this will save the comments for you:

You'll also see that the File Comment appeared at the bottom of that top pane when I clicked on Save Comments, as well.

You can also create comments for inpidual packets, and to do so you select the packet you want to create a comment for, right-click on it, and go to the Packet Comment.... You'll see there's a little pop-up window for you to enter your packet comments, so let's say, This packet looks bad. or whatever you might want to enter:

Click on OK. When you do so, you'll see that in the packet details area the Packet comments section pops in, and is nice and bright green so you can see that. And if you expand that, it'll actually show you the comment that you've entered:

Now, if I select a different packet, it doesn't show up. So if I go back to the packet that I selected, then it'll display again. Now, you might be wondering: how do I find packets within a capture that have comments? There are multiple ways of doing this. One of them is to right-click on the Packet comments field in the details area here and we'll go to Apply as Column. When you click on that, it'll create a column, which will show you whether or not that packet has a comment on it:

Additionally, I can go to the expert info button that I was talking about in the bottom left-hand side. When you click on that, it gives us a whole bunch of information about our capture, which we'll ignore for now. But at the very bottom, there's the Comment section, and it will say, packet number 7 has a comment, as shown in the following screenshot:

Now what's interesting is, if I move this to the side and we go select a different packet—and we'll go all the way to the bottom and choose packet number 60—and then if I click on the comment in packet number 7, you'll see that the packet list automatically jumps up to packet 7, selects it for me, and shows me the comment. Isn't that nice?

A third way to find packet comments is to right-click on Packet comments and then go to Apply as Filter | Selected:

And when you do so, it'll filter your packet list by pkt_comment, and that's the field name for whether or not a packet has a comment in it. And you'll see here that packet number 7 is now the only packet showing because that's the only one we've made a comment for:

So, if I were to clear this, and we add another comment on another packets Comment 2, and if I reapply my filter on Packet comments, we can see that we have two packets there. So, that's another way of being able to find comments in them:

In order to print your capture or print an inpidual packet, you can go to File | Print... and you'll see a number of options here which look similar to the save and export dialog. So what we can do is print a Summary line for each packet, and if you uncheck this you will see it actually changes the preview as you go, so you can kind of see how the file's going to look. There's a summary line, which gives us information about each inpidual packet that's in the list, and the summary line looks kind of like the packet list view. So there's going to be one line, which is packet 1 and some information about it then another summary line for packet 2 and some information about it, and so on. So that's actually a handy one to have on.

Details: will show you the packet details list of the information about the different protocols, so we can turn that on or off. If I turn that off, that basically just shows us the packet list view. I'm going to leave that on. And then I could also include the Bytes, if I really needed to. You're not going to want to do that for a lot of packets. Obviously, your print would be very large, but you can see if I turn that on it'll show you the actual byte information, as shown in the bottom bytes. So I'll keep that off for now. And you notice in the bottom section here, just like we had with the export dialog, you can choose option Selected packets only or All packets. You can also select Marked packets only:

How to mark packets
What you can do is right-click on a packet and mark it, or do Ctrl + M. And you can mark a whole bunch of them, and they can be anywhere in the capture, it doesn't matter where-they don't have to be contiguous; and we'll mark up a bunch.

We'll go ahead and print this, and you can see the file that we printed here. I printed it as a PDF file so that it would be easy to show you. You can see that the summary line for each packet is displayed here. The summary line, which is basically the packet list line, includes the packet number we had when the packet came in, the source and destination, the protocol, and so on, along with the details that we wanted it to print. So that's the very basic information about which protocols were involved in the packet that it captured:

So, in this section, you learned how to create annotations and comments for your packet capture, as well as annotations or comments for inpidual packets, how to view them and find them in different locations in the interface such as on a column or a filter, or within the packet details view, expert information, and, additionally, how to print packets. Next up is remote capture setup. We'll go over how to capture your data from a remote machine from your Wireshark GUI, running libpcap on that remote machine.