Using the Conversations window

The basics of using the Conversations window were covered during the first capture in Chapter 1, Getting Acquainted with Wireshark. In this section, we'll cover a few other handy features of the Conversations window.

The Ethernet tab

The Conversations window exhibits specific behaviors in the Ethernet tab, depending on the available Name Resolution settings. If Enable for Network Layer in the Name Resolution menu, which can be found in the View menu, is enabled and Name Resolution is also enabled in the Conversations window, then the IP address that is associated with a given device's MAC address is displayed as an IP address instead of a MAC address. Toggling the Name Resolution option in this scenario is useful for easily associating a devices' IP address with its MAC address.

If the Enable for Network Layer option is not enabled, then the Name Resolution option in the Conversations window controls whether the MAC addresses are displayed with manufacturer prefixes or as the basic 6-octet MAC address.

The TCP and UDP tabs

The TCP and UDP tabs of the Conversations window list all of the conversations between devices based on IP addresses and ports. Considering that network communications between a pair of devices, each with their associated IP addresses, could include multiple sequential or simultaneous sessions with differing port numbers, the TCP and UDP tabs (depending on the protocol in use) make it much easier to inspect the number and relative size and start/duration of these inpidual sessions.

As can be done in any of the other tabs in the Conversations window, a display filter can be quickly prepared or applied using the right-click functionality.

A helpful practice when investigating TCP or UDP sessions is to apply a display filter on just the IP addresses initially and then enabling the Limit to display filter option at the bottom of the Conversations window. Upon returning to the TCP or UDP tab, only the port-level sessions between the filtered host pair are displayed, which makes investigating these sessions much easier than picking them out from the entire list.

The following screenshot shows the multiple TCP sessions that were involved in loading the https://www.wireshark.org/ home page after applying a display filter (from the bulk capture file) and enabling the Limit to display filter option in the Conversations window. It can be seen that the (top) conversation between port 54581 on the user workstation and port 80 (HTTP) carried the vast majority of the traffic; the remaining ports carried much smaller amounts of traffic.

The WLAN tab

Since the Conversations window tabs are ordered alphabetically, the WLAN tab comes at the end. This tab displays the wireless station MAC addresses, as well as the Bytes, Packets, and other columns offered in the other tabs.