Wireshark Annotation

One of the toughest things to do when analyzing packets is documentation.

I rely on my Tracefile Workbook to make notes when I need to reference a specific packet or event.

Wireshark added a pretty cool feature to help with this process. It is called the Annotation feature. There are 2 different types of annotation; File and Packet.

The File annotation allows you to make some notes regarding the trace file itself. A good example of items to note would be things like recording the test environment, use of span ports, what is being tested or finally a description of the issue.

The Packet annotation allows you to make notes within specific packets. For example you might want to make a note on the packet that caused the application error, or mark the packet that represents when the client clicked submit.

As I mentioned in the video, the key here is to make sure you use the proper file extension of pcapng to retain these notes.

Enjoy