What does yellow color means in Package Details?
Hi,
Wireshark 4.0.4 I see some yellow background color in Package Details. What does this yellow color means?
Thanks
Hi,
Wireshark 4.0.4 I see some yellow background color in Package Details. What does this yellow color means?
Thanks
WSUG - 7.4.3. “Colorized” Protocol Details Tree
The packet detail tree marks fields with expert information based on their severity level color, e.g., “Warning” severities have a yellow background. This color is propagated to the top-level protocol item in the tree in order to make it easy to find the field that created the expert information.
The first warning, for "External name", means "If I treat this as if it's ASCII, it's not valid ASCII", which is not surprising, given that it's not ASCII at all, it's EBCDIC (as indicated by the next item after it).
The second warning, for "Manager-Level List", also says it's not valid ASCII, but it doesn't look like valid EBCDIC either.
The second warning, for "Manager-Level List", also says it's not valid ASCII, but it doesn't look like valid EBCDIC either.
It doesn't appear to be, from a quick look at some DRDA specs. The Wireshark DRDA dissector is pretty primitive, so don't rely on it to give a detailed dissection of DRDA packets.
@Chuckc, thanks for pointing me out to documentation. @Guy Harris, thanks for the info about possible problems. I have looked into this packets in more detail and there are several ASCII vs. EBCDIC packets displayed and only few of them are displayed with background yellow color. It looks to me that yellow background color is not displayed when data is encoded in EBCDIC instead of ASCII, but yellow is displayed when Wireshark programmer was not sure about how to decode portion of network traffic (or this part of protocol was not analyzed yet to properly decode it or some info in the string is not so important to decode it or similar). Wireshark programmer just want to put out: "Warning, something is not decoded perfectly". In this case "Expert Info" is added with explanation like: "Expert Info (Warning/Undecoded): Trailing stray characters". In case of "Manager-Level List" only first 30 ...(more)
@Guy Harris, yes I see now, DRDA protocol in Wireshark is not decoded perfectly. It has multiple limitations. I have read some articles and it is pointed out this same info (non perfect decoding), but was stated that other network analysis tools (beside Wireshark) take Wireshark's library to decode DRDA protocol. If this is true, then other tools are probably no better then Wireshark (maybe even worse, because they most probably use some older Wireshark DRDA library then Wireshark, because Wireshark is moving faster and providing new versions faster). Do you have any suggestion what other tool to use DRDA protocol or did you just write general statement that some other (you don't know which one) tool may be better to decode DRDA protocol? I have investigated Wireshark DRDA protocol little bit in more detail. What I see protocol section has three parts: length (exactly two bytes), code ...(more)
Please start posting anonymously - your entry will be published after you log in or create a new account.
Asked: 2023-03-28 11:08:57 +0000
Seen: 1,711 times
Last updated: Mar 28 '23