Conversations

One of the most interesting ways to analyze network traffic is by looking at it from a conversations standpoint. This bins traffic by source and destination, giving a fine-grained picture of which stations were responsible for the most traffic, which routers were the busiest, and which routers had the most clients.

Analyzing Conversations in a Pcap

You can see the network endpoints, or members of a network that initiate/terminate conversation and communication, by picking Statistics > Endpoints. This shows a list of endpoints and statistics.

You can see the conversations between two endpoints by picking Statistics > Conversations, which will show a window with a list of IP address pairs and various statistics of each conversation.

Endpoints/Conversations are useful for troubleshooting lots of traffic, or determining which server is busiest.

Wireshark can be used to capture and analyze traffic itself, or you can create a pcap file using a utility like tcpdump (see the Tcpdump page). The utility will create the pcap file. Once it's done, load the file into Wireshark.

By clicking the "Copy" button at the bottom of the window, you can copy the entire contents of the table to the clipboard, then paste it into emacs or vim.

Wireshark a Swiss-army knife for analyzing networks, network traffic, and pcap files. Wireshark  · Category:Wireshark Packet Analysis  · Wireshark/Advanced Wireshark/HTTPS  · Wireshark/Traffic Analysis  · Wireshark/Conversation Analysis  · Wireshark/Protocol Analysis Working with SSL/TLS/HTTPS: MITM Labs/Decrypting HTTPS Traffic by Obtaining Browser SSL Session Info  · MITM Labs/Decrypting HTTPS Traffic with Private Key File Flags  · Template:WiresharkFlag  · e