First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

What does yellow color means in Package Details?

Hi,

Wireshark 4.0.4 I see some yellow background color in Package Details. What does this yellow color means?

Thanks

pac122's avatar
5
pac122
asked 2023-03-28 11:08:57 +0000
grahamb's avatar
23.8k
grahamb
updated 2023-03-28 11:37:43 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

WSUG - 7.4.3. “Colorized” Protocol Details Tree

The packet detail tree marks fields with expert information based on their severity level color, e.g., “Warning” severities have a yellow background. This color is propagated to the top-level protocol item in the tree in order to make it easy to find the field that created the expert information.

Chuckc's avatar
3k
Chuckc
answered 2023-03-28 11:53:29 +0000, updated 2023-03-28 11:54:58 +0000
edit flag offensive 0 remove flag delete link
more

Comments

The first warning, for "External name", means "If I treat this as if it's ASCII, it's not valid ASCII", which is not surprising, given that it's not ASCII at all, it's EBCDIC (as indicated by the next item after it).

The second warning, for "Manager-Level List", also says it's not valid ASCII, but it doesn't look like valid EBCDIC either.

Guy Harris's avatar Guy Harris (2023-03-28 21:36:55 +0000) edit
more
  • delete

The second warning, for "Manager-Level List", also says it's not valid ASCII, but it doesn't look like valid EBCDIC either.

It doesn't appear to be, from a quick look at some DRDA specs. The Wireshark DRDA dissector is pretty primitive, so don't rely on it to give a detailed dissection of DRDA packets.

Guy Harris's avatar Guy Harris (2023-03-28 22:46:51 +0000) edit
more
  • delete

@Chuckc, thanks for pointing me out to documentation. @Guy Harris, thanks for the info about possible problems. I have looked into this packets in more detail and there are several ASCII vs. EBCDIC packets displayed and only few of them are displayed with background yellow color. It looks to me that yellow background color is not displayed when data is encoded in EBCDIC instead of ASCII, but yellow is displayed when Wireshark programmer was not sure about how to decode portion of network traffic (or this part of protocol was not analyzed yet to properly decode it or some info in the string is not so important to decode it or similar). Wireshark programmer just want to put out: "Warning, something is not decoded perfectly". In this case "Expert Info" is added with explanation like: "Expert Info (Warning/Undecoded): Trailing stray characters". In case of "Manager-Level List" only first 30 ... (more)

pac122's avatar pac122 (2023-04-03 09:06:32 +0000) edit
more
  • delete

@Guy Harris, yes I see now, DRDA protocol in Wireshark is not decoded perfectly. It has multiple limitations. I have read some articles and it is pointed out this same info (non perfect decoding), but was stated that other network analysis tools (beside Wireshark) take Wireshark's library to decode DRDA protocol. If this is true, then other tools are probably no better then Wireshark (maybe even worse, because they most probably use some older Wireshark DRDA library then Wireshark, because Wireshark is moving faster and providing new versions faster). Do you have any suggestion what other tool to use DRDA protocol or did you just write general statement that some other (you don't know which one) tool may be better to decode DRDA protocol? I have investigated Wireshark DRDA protocol little bit in more detail. What I see protocol section has three parts: length (exactly two bytes), code ... (more)

pac122's avatar pac122 (2023-04-03 09:19:41 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer