Only shown problematic packets in WireShark
I am using WireShark to analyse millions of packets. Is there a filter which will only show those packets which have errors?
By "error", I mean an IP error (e.g. incorrect IP header checksum), an TCP error (e.g. incorrect TCP checksum), or an error at the application layer (in my case, the FIX protocol, which is parsed by WireShark).
How can I configure WireShark to only show erroneous packets?
The only notion Wireshark has of "error" as a generic concept is the notion of "expert info" items with a severity level of "error" (which is the highest level of severity).
To find all packets with that type of "expert info" item, use the display filter
expert.severity == error
in Wireshark 1.10.x and earlier and
_ws.expert.severity == error
in Wireshark 1.12 and later.
However, that will only show errors if the Wireshark dissector for the protocol where there's the error has code that looks for the error in question and, if it finds it, adds an expert info item for that error. (Wireshark is a dumb piece of software, not a clever networking expert that can detect errors other than the ones it's been written to detect.)
Sample more specific error filters:
_ws.expert.group == Malformed
_ws.expert.severity != Ok
_ws.expert.message ~ "A new tcp session is started with the same ports"
-
Group names:
Checksum, Sequence, Response, Request, Undecoded, Reassemble, Malformed, Debug, Protocol, Security, Comment
-
Severity levels:
Error, Warn, Note, Chat, Comment, Ok
-
Messages
Can be looked up on a packet content view on sample problematic packet, in the analysis section in Expert Info node. E.g.
Transmission Control Protocol/[SEQ/ACK analysis]/[TCP Analysis Flags]/[Expert Info]
This builds on the answer by user164970