What is the Expert?
If you use Wireshark for troubleshooting, you MUST open the Expert Information window! Wireshark's Expert interprets the traffic to point out possible problems in the trace file. The Expert Information button is at the bottom left corner of the Wireshark window (the left side of the Status Bar) and is color coded to indicate the highest level of severity seen by the Expert.
The Expert Information window can alert you to a number of issues in your communications:
Packet loss
Receive buffer full
Port reuse
Out-of-order segments
Failed dissectors
The image below shows the Expert Information window for wwb001-movietime.pcapng. The Expert Information window indicates we have some problems with a subdissector for HTTP, a receive buffer issue (Zero Window), connection resets (what?), out-of-orders, packet loss and more.
WANT TO LEARN MORE? We offer on-demand, online and instructor-led courses on Wireshark and TCP/IP communications! Check out the links under "Training" on the menu for more information and sign up for our biweekly newsletter to know when future blogs, events, or freebies are announced. Every new sign up also gets five free Wireshark labs!
TCP Resets Expert Setting Always Bugged Me
One of the Expert indications that bugs me is the "Connection reset (RST)" item listed as a warning. Why should I be warned that there are TCP resets in the trace file? Those are normal. If there are TCP resets because of a port scanning process, I can detect those through a button or coloring rule.
We can change how the Expert classifies items!
Change the Expert Preference Setting
So let's change the way Wireshark categorizes these TCP resets.
Select Edit | Preferences | Expert. Click the + button to add an entry. Enter tcp.connection.rst in the Field Name column and select Note as the severity. Click OK to save this setting. If you have a trace file loaded when making a change to the Expert preferences, Wireshark automatically rescans the trace file to apply the change.
There is one area of this process that might cause you grief - where do you get those pesky field names? Look inside any packet that is linked in the Expert - the field of interest is above the Severity level entry, as shown below. In the example below, I have selected the [TCP Zero Window segment] line inside the [SEQ/ACK analysis] area of a TCP header. If I wanted to make a change to this Expert preference setting, I would use the field name tcp.analysis.zero_window.
Wireshark stores changes to the Expert in the expert_severity configuration file within the profile in which you are working. It's a pretty simple file and you can quickly pick up the syntax. You'll see the traditional "DO NOT MODIFY" message, but in truth - you can modify the file, just realize that you need to save it and reload the profile in which it resides.
When you reopen the Expert Information window, you should see the result of your changes to the Expert preferences.
That's much better!
If you want to use the same setting in another profile, you would need to copy the expert_severity file to that profile.
Importing Expert Settings from Other Profiles
This step became much simpler with the recent updates to Wireshark. Did you notice the "Copy from" button at the bottom of in the Expert Preferences window?
That's it! Relatively simple, eh?
Cheers!
Laura