Wireshark Conversation Tip

Many times I do stuff out of habit or reflex and all it takes is for someone to say “what did you do?” to realize that it might be worth sharing.

The other day I was working with a client and we were trying identify and isolate the conversation that generated the most traffic.

The first thing I did, again out of habit, was pull down the Statistics->Conversation report to identify the TCP or UDP conversation. The analyst I was working with has been learning Wireshark as he needed to (like many people) said “that’s cool” then he asked what the difference was between “endpoints” and “conversations”. It was a great session and we found the conversation quickly.

The next thing I did while going through another trace was use the right-click, Conversation->TCP feature which blew his mind. We went through it a few times and he commented on how much of a time saver that tips is.

So here’s a video with the two tips.

Enjoy