Using the Wireshark Commenting Feature

Somewhere around version 1.8 a commenting feature was introduced in Wireshark. When used with the pcapng file format, the comments are saved within the capture for later use. This feature can be beneficial in scenarios where you may be working with a third party and need to communicate your interpretation of a capture. Additionally, this is a great way to document a capture for future use by you our your colleagues. This article is an introduction and quick look at how the Wireshark commenting feature can be used to save time when documenting packet captures.

Prerequisites

The first thing to be aware of is that this feature requires the pcapng file format. This file format allows for saving the comments as additional metadata. There are a few ways to configure Wireshark to use the pcapng format. My recommendation is to change the preferences in Wireshark to default to capturing in pcapng format. There’s really no downside to doing this unless there is a need to read the file in an old version of Wireshark or Ethereal.

Having set the capture format to pcapng, the best way to look at the commenting features is to capture some traffic. For this example, I have captured some traffic to and from Google’s DNS server (8.8.8.8).

Just a Boring Capture

Wireshark Comment 1

Commenting the Capture File

The first thing to notice at the bottom left side of the Wireshark window is a notepad symbol. Clicking on this icon will bring up an annotation window. Notes entered here are not specific to a packet, but general notes that you can add about the entire capture. The notes can be viewed in the future by opening the dialog box back up or by viewing summary page (Statistic->Summary) for the capture.

Comment Icon

Wireshark Comment 2

Capture Comment Window

Wireshark Comment 3

Since the capture comment is not specific to single packets, it is only moderately useful. This particular feature can be used like a text document embedded into the capture file. While it can be useful, it is far from an Earth shattering new feature.

Commenting on Packets

What I think is more useful is the ability to annotate single packets. In our example, we will annotate a couple of packets and look at some ways to find and view these comments.

To add a packet comment, simply right-click on the interesting packet. I’ll comment on an ICMP Echo and a DNS query.

Adding a Packet Comment

Wireshark Comment 4

Wireshark Comment 5

I also similarly commented on a DNS request to better demonstrate the associated navigation features.

Navigating Commented Packets

To quickly filter the entire capture to only commented packets, the “pkt_comment” display filter may be used.

Wireshark Comment 6

Another way to navigate to the next commented packet is to use the “Find” feature. The quick way to bring up this dialog box is the “ctrl-f” keyboard shortcut. The same “pkt_comment” display filter syntax can be used.

Wireshark Comment 7

Notice that choosing any of the commented packets shows a noticeable green line in the packet detail window. This can be expanded to view the comment.

Wireshark Comment 8

One final way to navigate commented packets is by using the Expert Info dialog box. The easy way to bring this up is clicking on the round circle that is in the bottom left corner of the Wireshark Window.

Wireshark Comment 9

In the Expert Info window, the rightmost tab should now read “Packet Comments: X”, where X is the number of commented packets.

Wireshark Comment 10

Single Clicking an entry in the Expert Info window will advance the main Wireshark UI to that packet. Double clicking the entry will allow the comment to be edited.

Conclusion

Often when working in a capture file, there is a need to transfer knowledge between individuals. Additionally, there is often the need to return to a capture that you began analyzing at a different point in time. These scenarios create the problem of having to reanalyze and to become familiar with the capture again. Written documentation, while helpful, is time consuming, challenging and often isn’t done effectively. Using the commenting tools in Wireshark is a quick and easy way to annotate the interesting packets and attributes found in a capture. This annotation feature can save a significant amount of time for you and your colleagues as they process the file at a different time or setting.

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To. Bookmark the permalink.

2 Responses to Using the Wireshark Commenting Feature

  1. Ioannis says:

    Hi Paul,

    Just “discovered” your blog and I find it very interesting ! Thanks for sharing all these things.
    About the comments in Wireshark it is also very handy when baselining your traffic to keep both trace and packet notes (I use it a lot). There are also less chances to loose the notes kept during troubleshooting which occurs when saving them to an external file.

    cheers,
    Ioannis

  2. This feature is very useful, do you know if I can add a comment using tshark in command line?

Comments are closed.