Wireshark - 1.9 User Guide

Advanced Topics

119

The following will first describe the components of a single expert info, then the User Interface.

Each expert info will contain the following things which will be described in detail below:

1

Note

Sequence

TCP

Duplicate
ACK (#1)

2

Chat

Sequence

TCP

Connection
reset (RST)

8

Note

Sequence

TCP

Keep-Alive

9

Warn

Sequence

TCP

Fast
retransmission
(suspected)

Every expert info has a specific severity level. The following severity levels are used, in parentheses are
the colors in which the items will be marked in the GUI:

• Chat (grey): information about usual workflow, e.g. a TCP packet with the SYN flag set

• Note (cyan): notable things, e.g. an application returned an "usual" error code like HTTP 404

• Warn (yellow): warning, e.g. application returned an "unusual" error code like a connection problem

• Error (red): serious problem, e.g. [Malformed Packet]

There are some common groups of expert infos. The following are currently implemented:

• Checksum: a checksum was invalid

• Sequence:  protocol  sequence  suspicious,  e.g.  sequence  wasn't  continuous  or  a  retransmission  was

detected or ...

• Response Code: problem with application response code, e.g. HTTP 404 page not found

• Request Code: an application request (e.g. File Handle == x), usually Chat level

• Undecoded: dissector incomplete or data can't be decoded for other reasons

• Reassemble:  problems  while  reassembling,  e.g.  not  all  fragments  were  available  or  an  exception

happened while reassembling

• Protocol: violation of protocol specs (e.g. invalid field values or illegal lengths), dissection of this packet

is probably continued

• Malformed: malformed packet or dissector has a bug, dissection of this packet aborted

• Debug: debugging (should not occur in release versions)

It's possible that more such group values will be added in the future ...