Wireshark includes an Expert Info feature that helps you detect potential anomalies, protocol issues, or unusual behavior during packet analysis. It flags specific patterns or states that may indicate misconfigurations, failed connections, or suspicious activity.
This tool is especially helpful in large captures, where manually spotting such issues would be time-consuming. However, keep in mind that these detections are not always accurate—false positives or false negatives can occur.
How Expert Info Works
Expert Info analyzes protocol states and behaviors in real-time as packets are captured or reviewed. It highlights issues based on severity level and event type, offering insight without requiring deep protocol knowledge at every step.
To access Expert Info:
Analyze → Expert Information
You can also click the colored circle icon in the bottom left.
Severity Levels and Categories
Expert Info uses three severity levels and organizes alerts by protocol-related categories.
| Severity | Color | Description |
|---|---|---|
| Error | Red | Critical issue; likely a broken or failed connection |
| Warning | Yellow | Suspicious or abnormal behavior |
| Note | Blue | Informational or possibly relevant detail |
| Category | Examples |
|---|---|
| Malformed Packet | Incorrectly formed packets |
| Retransmission | Packet resend events (e.g., TCP retries) |
| Connection Issues | TCP resets, failed handshakes |
| Protocol Violations | Protocol used incorrectly or out of spec |
| Chats/Notes | Human-readable hints or commentary |