Somewhere around version 1.8 a commenting feature was introduced in Wireshark. When used with the pcapng file format, the comments are saved within the capture for later use. This feature can be beneficial in scenarios where you may be working with a third party and need to communicate your interpretation of a capture. Additionally, this is a great way to document a capture for future use by you our your colleagues. This article is an introduction and quick look at how the Wireshark commenting feature can be used to save time when documenting packet captures.
The first thing to be aware of is that this feature requires the pcapng file format. This file format allows for saving the comments as additional metadata. There are a few ways to configure Wireshark to use the pcapng format. My recommendation is to change the preferences in Wireshark to default to capturing in pcapng format. There’s really no downside to doing this unless there is a need to read the file in an old version of Wireshark or Ethereal.
Having set the capture format to pcapng, the best way to look at the commenting features is to capture some traffic. For this example, I have captured some traffic to and from Google’s DNS server (22.214.171.124).
Just a Boring Capture
Commenting the Capture File
The first thing to notice at the bottom left side of the Wireshark window is a notepad symbol. Clicking on this icon will bring up an annotation window. Notes entered here are not specific to a packet, but general notes that you can add about the entire capture. The notes can be viewed in the future by opening the dialog box back up or by viewing summary page (Statistic->Summary) for the capture.
Capture Comment Window
Since the capture comment is not specific to single packets, it is only moderately useful. This particular feature can be used like a text document embedded into the capture file. While it can be useful, it is far from an Earth shattering new feature.
Commenting on Packets
What I think is more useful is the ability to annotate single packets. In our example, we will annotate a couple of packets and look at some ways to find and view these comments.
To add a packet comment, simply right-click on the interesting packet. I’ll comment on an ICMP Echo and a DNS query.
Adding a Packet Comment
I also similarly commented on a DNS request to better demonstrate the associated navigation features.
Navigating Commented Packets
To quickly filter the entire capture to only commented packets, the “pkt_comment” display filter may be used.
Another way to navigate to the next commented packet is to use the “Find” feature. The quick way to bring up this dialog box is the “ctrl-f” keyboard shortcut. The same “pkt_comment” display filter syntax can be used.
Notice that choosing any of the commented packets shows a noticeable green line in the packet detail window. This can be expanded to view the comment.
One final way to navigate commented packets is by using the Expert Info dialog box. The easy way to bring this up is clicking on the round circle that is in the bottom left corner of the Wireshark Window.
In the Expert Info window, the rightmost tab should now read “Packet Comments: X”, where X is the number of commented packets.
Single Clicking an entry in the Expert Info window will advance the main Wireshark UI to that packet. Double clicking the entry will allow the comment to be edited.
Often when working in a capture file, there is a need to transfer knowledge between individuals. Additionally, there is often the need to return to a capture that you began analyzing at a different point in time. These scenarios create the problem of having to reanalyze and to become familiar with the capture again. Written documentation, while helpful, is time consuming, challenging and often isn’t done effectively. Using the commenting tools in Wireshark is a quick and easy way to annotate the interesting packets and attributes found in a capture. This annotation feature can save a significant amount of time for you and your colleagues as they process the file at a different time or setting.