Ask Your Question

What does yellow color means in Package Details?

asked 2023-03-28 11:08:57 +0000

pac122 gravatar image

updated 2023-03-28 11:37:43 +0000

grahamb gravatar image


Wireshark 4.0.4 I see some yellow background color in Package Details. What does this yellow color means?


edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted

answered 2023-03-28 11:53:29 +0000

Chuckc gravatar image

updated 2023-03-28 11:54:58 +0000

WSUG - 7.4.3. “Colorized” Protocol Details Tree

The packet detail tree marks fields with expert information based on their severity level color, e.g., “Warning” severities have a yellow background. This color is propagated to the top-level protocol item in the tree in order to make it easy to find the field that created the expert information.

edit flag offensive delete link more


The first warning, for "External name", means "If I treat this as if it's ASCII, it's not valid ASCII", which is not surprising, given that it's not ASCII at all, it's EBCDIC (as indicated by the next item after it).

The second warning, for "Manager-Level List", also says it's not valid ASCII, but it doesn't look like valid EBCDIC either.

Guy Harris gravatar imageGuy Harris ( 2023-03-28 21:36:55 +0000 )edit

The second warning, for "Manager-Level List", also says it's not valid ASCII, but it doesn't look like valid EBCDIC either.

It doesn't appear to be, from a quick look at some DRDA specs. The Wireshark DRDA dissector is pretty primitive, so don't rely on it to give a detailed dissection of DRDA packets.

Guy Harris gravatar imageGuy Harris ( 2023-03-28 22:46:51 +0000 )edit

@Chuckc, thanks for pointing me out to documentation. @Guy Harris, thanks for the info about possible problems. I have looked into this packets in more detail and there are several ASCII vs. EBCDIC packets displayed and only few of them are displayed with background yellow color. It looks to me that yellow background color is not displayed when data is encoded in EBCDIC instead of ASCII, but yellow is displayed when Wireshark programmer was not sure about how to decode portion of network traffic (or this part of protocol was not analyzed yet to properly decode it or some info in the string is not so important to decode it or similar). Wireshark programmer just want to put out: "Warning, something is not decoded perfectly". In this case "Expert Info" is added with explanation like: "Expert Info (Warning/Undecoded): Trailing stray characters". In case of "Manager-Level List" only first 30 ...(more)

pac122 gravatar imagepac122 ( 2023-04-03 09:06:32 +0000 )edit

@Guy Harris, yes I see now, DRDA protocol in Wireshark is not decoded perfectly. It has multiple limitations. I have read some articles and it is pointed out this same info (non perfect decoding), but was stated that other network analysis tools (beside Wireshark) take Wireshark's library to decode DRDA protocol. If this is true, then other tools are probably no better then Wireshark (maybe even worse, because they most probably use some older Wireshark DRDA library then Wireshark, because Wireshark is moving faster and providing new versions faster). Do you have any suggestion what other tool to use DRDA protocol or did you just write general statement that some other (you don't know which one) tool may be better to decode DRDA protocol? I have investigated Wireshark DRDA protocol little bit in more detail. What I see protocol section has three parts: length (exactly two bytes), code ...(more)

pac122 gravatar imagepac122 ( 2023-04-03 09:19:41 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2023-03-28 11:08:57 +0000

Seen: 1,260 times

Last updated: Mar 28 '23