I am using WireShark to analyse millions of packets. Is there a filter which will only show those packets which have errors?
By "error", I mean an IP error (e.g. incorrect IP header checksum), an TCP error (e.g. incorrect TCP checksum), or an error at the application layer (in my case, the FIX protocol, which is parsed by WireShark).
How can I configure WireShark to only show erroneous packets?
Best Answer
The only notion Wireshark has of "error" as a generic concept is the notion of "expert info" items with a severity level of "error" (which is the highest level of severity).
To find all packets with that type of "expert info" item, use the display filter
in Wireshark 1.10.x and earlier and
in Wireshark 1.12 and later.
However, that will only show errors if the Wireshark dissector for the protocol where there's the error has code that looks for the error in question and, if it finds it, adds an expert info item for that error. (Wireshark is a dumb piece of software, not a clever networking expert that can detect errors other than the ones it's been written to detect.)