Question : Wireshark question

Hi

I am trying to use Wireshark to trace a conversation between a server and client. I ran the Wireshark capture and have the file in front of me. But I have some questions I was hoping experts could help with;

i) I want to view the source and destination ports.... I went to "Edit Preferences" and added a column for Source Port and Destination Port. But - in the view, they are labelled as "New Column" and "New Column", the option to name the Column in "Edit Preferences" is greyed out, anyone know how to change this?

ii) When the capture starts, for the Columns I added, sometimes I can see the port number, sometimes the name of the procotol (I assume that's what it is)...how can I change it so that only the port NUMBER is displayed?

iii) I would like to see which device intiated a conversation. Sure, I can see Source IP and Destination IP, however I don't know which one actually started the conversation. I assume I need to look at the "Info" tab, there are entries there such as "ACK" and "PSH, ACK" - does anyone know how these can help me?

iv) Also in info, I can see the "Seq" number, and the "Ack" number, what do these relate to?

v) Is there any way to right click a packet and view the entire conversation related to that packet (as in highlight the entries in the display)

Any help would be much appreciated!!!!

Answer : Wireshark question

1) after adding the field and choosing the number. Click on the Left column in the overview above on the field you just added.  Then you can change them. Yep annoying. (You can reorder field by dragging them arround there too)

2) Select the Src Port or Dst Port with the attribute 'unresolved'

3) A TCP link starts with a Syn, the response should be Syn+Ack and the final acceptance = Ack on that.

4) Relative offsets in the Up & down stream. During Syn these number are synchronised. And the max difference between the Seq# and the Ack# is the sending window, or "data underway".
If they are equal there is no data underway and nothing is missing.

5) Rightclick on a packet. You can choose: Colorize Conversation to let them spring out in color, or you can filter them or you can follow the stream (which effectively takes all the data out of the packets and shows it)..

Hope it helps.