Managing Wireshark Packet Comments

In my opinion, Wireshark's File and Packet comments are the most under utilized features.

When I work onsite and capture packets, I get a lot of questions ranging from tool use and of course, packet interpretation.

Other than providing some customized onsite training (I no longer offer public training sessions) or mentoring, knowledge transfer is always challenging.

Providing file comments helps document why and where you performed the trace and any other noteworthy points. Notes such as a problem description, if SPAN or TAP are used are incredibly helpful when others look at the trace file.

Packet comments are even more important since you can explain protocol, application behavior and problems within the related packets.

It doesn't matter if the notes are to jog your memory 6 months from now or if you are sending the trace to another department/vendor. Anyone will find the comments helpful reducing a lot of the typical back and forth involved when you share a trace file.

In this video I cover how to add, find and remove packet comments.