Troubleshooting with Wireshark. Whether you are a Wireshark newbie or an experienced Wireshark user, this book streamlines troubleshooting techniques used. The Official Wireshark Certified Network Analyst™ Study Guide. 2nd Edition No part of this ebook, or related materials, including interior design, cover design and contents of the referenced book .. Understand Security Issues Related to Network Analysis .. Download the Supplements from ukraine-europe.info More than free eBooks to read or download in english for your computer, smartphone, ereader or tablet!, Wireshark User's Guide, U. Lamping - R. Sharpe .
|Language:||English, Spanish, Arabic|
|ePub File Size:||27.67 MB|
|PDF File Size:||16.24 MB|
|Distribution:||Free* [*Free Regsitration Required]|
Editorial Reviews. From the Author. This book is the culmination of 20+ years of troubleshooting Download it once and read it on your Kindle device, PC, phones or tablets. Buy a Kindle Kindle eBooks Kindle Unlimited Prime Reading Best Sellers & More Kindle Book Deals Free Reading Apps Kindle Singles Newsstand. 19 Records This book will be a massive ally in troubleshooting your network using Wireshark, the world's most popular analyzer. Over practical recipes. Book/ebook URL: ukraine-europe.info (Version a) Distributed . Click the Troubleshooting with Wireshark book link and download the entire set of.
Security By: Chris Sanders Mas como voc pode usar esses pacotes para entender o que est acontecendo em sua rede? Atualizado para incluir o Wireshark 2. Networking By: Yoram Orzach This book will be a massive ally in troubleshooting your network using Wireshark, the world's most popular analyzer.
Laura Chappell The Official Wireshark Certified Network Analyst Study Guide S wireshark certified network, exam prep guide, analyst exam prep, certified network analyst, network analyst exam. Wireshark is the world's most popular network analyzer tool with over , downloads per month.
This book provides insider tips and tricks to spot performance issues fast - no more finger pointing because the packets never lie! From "Death by Database" to "Troubleshooting Time Syncing," 49 case s wireshark certified network, official wireshark certified, certified network analyst, wireshark network analysis, analyst study guide. Learn insider tips and tricks to quickly detect the cause of poor network performance. This book consists of t wireshark troubleshooting profile, experienced wireshark user, book streamlines troubleshooting, wireshark newbie, tcp receiver congestion.
Alasdair Gilchrist This book shows real world network traffic analysis and shows the techniques that DevOp teams need to use to detect malicious behavior.
Additionally it shows how DevOps can translate packet captures into valuable information by decoding IP packets and detect malicious activity wireshark forensics, real world network, activitya practical guide, malicious behavior, devop analysis. James H. Baxter This book introduces the Wireshark network analyzer to IT professionals across multiple disciplines. It starts off with the installation of Wireshark, before gradually taking you through your first packet capture, identifying and filtering out just the packets of interest, and saving them to a new f wireshark essentialsthis book, wireshark network analyzer, right wireshark features, strong wireshark skills, configure wireshark.
This book contains wireshark tutorials which are recommended for network administration activity. It contains screenshots of wireshark with appropriate filters and useful techniques which can be used for network analysis. Computer Science By: Abhinav Singh Wireshark is by far the most popular network traffic analyzing tool. It not only provides an interface for traffic capture but also provides a rich platform for an in-depth analysis of the traffic. Identify Application Errors Chapter 8: Graph Throughput Problems Chapter Graph Time Delays Chapter Graph Other Network Problems Chapter Final Tips Appendix A: Trace File Descriptions Appendix C: Import a Troubleshooting Profile Wireshark Lab I often share the "Top 10" at conferences and on the All Access Portal our online training portal.
Since I know many of you hate to wade through non-technical materials in the front of books even though foundation materials are often necessary to lay the groundwork , I decided to begin this book with a list of the key network problems and symptoms seen in trace files. In Part 2: Symptom Based Troubleshooting you will delve into most of the symptoms contained in this list of problems. Each problem listed in this section includes a list of possible symptoms that may be seen in your trace files.
Possible Symptoms 1. This problem is caused when a service is not running on a server or perhaps a firewall is preventing the connection. Application Request Refused Any service refusals should be of concern on your network. In an ideal network environment, clients make requests of servers and servers respond with the required information in a timely manner.
Connection Blocked by a Host-Based or Network Firewall Ideally, hosts wouldn't even attempt to communicate with firewalled resources. Such an attempt could be due to a misconfiguration, malware, malicious user, or other issue.
Slow Application at Server The good news is that the server did not refuse to provide a desired service. The bad news is that the server is slooooow. This may be due to a lack of processing power at the server, a poorly behaving application, or even, in a multi-tiered architecture, a slow upstream server that actually provides the data mentioned in Slow Loading of Remote Content.
Possible Symptoms TCP-based application: Large delay tcp. Large delay frame. Slow Load of Remote Content Many networks are designed in a multi-tiered fashion. For example, consider a client that sends a request to Server 1.
In a multi-tiered environment, that server may need to obtain information from Servers 2 through 9 before answering the client. Once we identify the delays from the client's perspective, we need to capture this multi-tiered traffic to determine which server is actually responding slowly.
Server Application Fault The server is up and running, but not responding to requests. Possible Symptoms Expert Infos Notes: Retransmission Exponentially increasing time values in a tcp. Content Redirection We've all had the experience of driving to a specialty store such as an office supply store to buy something only to be told that the store does not have the item in stock.
The clerk performs an inventory check and sends us off to another store to get the item. It is inconvenient in our daily lives and, when this behavior is seen in network communications, it can negatively affect network performance.
If an application supports redirection such as HTTP and the target knows where the information actually resides, it may send you a redirection response. As data is received, it is placed in the TCP receive buffer area. Applications must reach down into this buffer area to pick up the data fast enough to prevent the buffer from filling up.
Each TCP header states the current receive buffer size in bytes of the sender in the Window Size field. It is not unusual to see the advertised Window Size value drop as data is received and then increase as an application picks up data from the buffer. When the advertised TCP receive buffer value drops to zero, the data transfer will stop. A low Window Size value can also cause data flow to stop.
The only recovery is a Window Update. Possible Symptoms Expert Infos Warnings: Send Buffer Full Just as a lack of receive buffer space can slow down a data transfer process, a lack of send buffer space can also negatively impact performance. A limited send buffer space can negatively impact network performance even if the network can handle a high data transfer rate and the receiver has plenty of buffer space.
The symptom of a full send buffer is a set of delays in the middle of a data stream transmission with no other logical reason for the delay.
This situation can create some freaky looking trace files and lots of finger pointing. In essence, if you capture traffic close to the client you can determine the client capabilities based on the TCP options listed in the SYN packets sent from the client.
If an interconnecting device alters the TCP option information before forwarding the SYN packet, the server has a different view of the client's capabilities.
You may blame the server for behaving poorly or not supporting certain TCP options. If you capture traffic at the server, you see the altered traffic and you may blame the client for behaving poorly or being poorly configured. This requires capture on both sides of the interconnecting device to point the finger at the true source of problems —an infrastructure device. Retransmissions tcp.
Window Full tcp. This problem could manifest itself in behavior similar to the aforementioned Altered TCP Connection Attributes Along a Path except that a proxy box does not forward connection packets—it creates a new connection to the target on behalf of the client. If the connection on one side of the proxy device has a set of connection parameters that do not match the connection parameters offered in the connection on the other side of the proxy device, you may have problems.
The symptoms depend upon which connection characteristics are not established by the proxy. For example, if the connection on the client side of a proxy supports a smaller Window Scale multiplier than the connection on the server side, traffic flowing toward the client may need to be buffered by the proxy device because the target host does not have sufficient receive buffer space.
The symptoms experienced will vary depending on which connection characteristics are mismatched. Routing loops occur when a packet is routed back onto a network over and over again. Weak Signal WLAN Wireless signals can only travel a certain distance, as dictated by their transmit signal strength and the effect of interference.
If a signal degrades substantially, it may not be interpreted properly when captured. In Wireshark's view, the frame may be tagged as malformed or it may not be defined as a frame at all during the capture process. Possible Symptoms Expert Infos Errors: Malformed Packets Low Signal Strength value radiotap. TCP Retransmissions This may not cause a problem if each path is healthy and offers the same throughput.
If there are devices that must see every packet in order to function, however, this can be a problem. For example, if proxies are in use the network path must be symmetrical from the client to the proxy host. Another consideration would be an Intrusion Detection System IDS box that must see every packet and monitor state information about conversations.
Possible Symptoms Expert Infos Warning: Previous Segment Not Captured Packet Loss Packet loss typically occurs at an interconnecting device such as a switch, a router, a NAT device, or a network firewall.
When a TCP host notices packet loss based on an unexpected TCP sequence number or no acknowledgment within the Retransmission Time Out , the host begins a recovery process. A UDP-based application must be written to detect packet loss and begin its own recovery process. If the number of packets dropped is small and the recovery process is quick, the packet loss may go unnoticed. If many sequential packets are lost, however, users will likely feel the impact and complain.
When your trace file indicates packets have been lost, you must move your capture point across interconnecting devices to locate the point where packet loss begins. Be aware that in some situations Wireshark may trigger a packet loss warning when packets are simply out of order. Fast Retransmission Expert Infos Note: Retransmission IO Graph: Drops in throughput High Path Latency A single low speed high delay link along a path or the delay between geographically disbursed peers can inject a level of path latency that affects performance.
Possible Symptoms Capture at client: Capture at server: Lousy Routing Path When construction occurs in a major city, traffic is a nightmare as drivers are rerouted along less efficient and less direct routes. This is also true of network traffic. If a target is 10 blocks away and yet for some reason the packets must travel through 17 routers to get there, performance may be unacceptable. The symptoms are the same as High Path Latency. Bandwidth Throttling Transmitting data along a bandwidth throttling link is like driving a car during rush hour.
You move along bumper-to-bumper at speeds below your lowest speedometer indication. Bandwidth throttling may be configured for traffic flowing in a particular direction, so a graph of unidirectional traffic can help you spot a limit on throughput "hitting the ceiling". Possible Symptom IO Graph: See bit.
Possible Symptoms ms delay before ACK packets tcp. Queued Packets Overloaded Router Everyone hates waiting in a long line. TCP peers and UDP-based applications may detect sudden queue delays and think packets have been lost.
Even a slight queue delay along a path can be felt if you consider that it can take thousands or hundreds of thousands of data packets to download a file. The entire process feels mired in mud. This may be caused by an overloaded router or perhaps prioritization at a router for example, video streaming first, email traffic last.
Using a throughput testing tool such as jPerf or iPerf can help you detect queuing along a path. Possible Symptoms IO Graph: Route Redirections Route redirections should be rare.
When a host sends packets to one local router when another local router exists with a preferred path, a route redirection may take place. Broadcast or Multicast Storms Broadcast and multicast storms should be easy to spot. Simply capture a moment of traffic and look at the target address. Broadcasts are typically not forwarded so you should be capturing on and dealing with hosts on a single network. Multicasts can be forwarded through an internetwork therefore they can cause a greater problem if something goes wrong and they storm the network.
Possible Symptoms High rate of packets addressed to the all nets broadcast High rate of packets addressed to a multicast address Switch Loop A switch loop is immediate death for all devices connected to the problem switches. Since we have protocols to help prevent switching loops Spanning Tree , this problem should be rare.
Unfortunately, older switches that have not been restarted or rechecked every once in a while may begin to malfunction—if Spanning Tree fails and there is a loop—the network will become overwhelmed with looped packets. Switch loops are not difficult to detect. You only need to capture a few of these packets to know what is going on. You will see duplicate packets appearing over and over again in the trace file. Possible Symptoms High rate of identical packets For example, when a compromised host begins performing port scans on other network hosts or it begins broadcasting discovery packets, the overhead may be felt.
Wireshark User's Guide - Ebooks for all | Free ebooks download
First it will likely be felt by the compromised host— later it may be felt by other network hosts. The user working on a compromised host may notice performance problems if that host is uploading or downloading files in the background or performing other background tasks. Having a baseline of normal network traffic can help detect a compromised host. Possible Symptoms Unusual applications or protocols Statistics Protocol Hierarchy "Data" below IP, TCP or UDP Statistics Protocol Hierarchy Local broadcasts potentially discovery processes Suspicious outbound targets Unusual internal targets such as a local client trying to connect to the Accounting server Data transfer during idle times High number of service refusals potential discovery process Network Name Resolution Problems When a name resolution query is met with a mind-numbing silence or an error, there is a problem.
Since successful completion of this process is imperative to connecting to a target, the user may receive an application error such as "Server not found" as in the case of a DNS Name Error when browsing.
Network Address Resolution Problems Incorrect subnet addressing can cause major performance issues. In some cases, however, our routers hide the problems from us for a while think Proxy ARP. In other cases, a client may send packets that are destined to a local device to a router or perform a local-style discovery for a remote device.
Duplicate IP Address Hardware Address Resolution Problems The purpose of hardware address resolution is to obtain the MAC address of the local target or local router.
Network address resolution problems may cause a host to think local devices are remote or vice versa. Hardware address resolution problems are local only—you must be capturing on the same network as the faulty host to detect these issues. This limits the retransmission to just the missing packet s. Without SACK, the recovery process will include retransmissions of the first packet lost and every subsequent data packet regardless of whether those subsequent packets were received successfully.
These extra retransmissions unnecessarily add load to the network links and interconnecting devices and may compound the packet loss problem. This Shift Count is used to determine by how much the Window Size value should be multiplied. Offering a larger Window Size reduces the delays caused by a low window or Zero Window condition. Zero Window Expert Infos Warning: Window is Full Client Misconfiguration A misconfigured client may have the wrong DNS address, the wrong router address, incorrect port numbers defined in a services file, or other problems.
Usually this type of problem can be detected quickly and a comparison with other client traffic can help pinpoint the misconfiguration. The symptoms will vary based on the misconfiguration. Possible Symptoms The client sends traffic to the wrong target The client receives service refusals or no answer Numerous other symptoms may appear depending on the misconfiguration Likewise, it is more efficient to send as much data as possible in each packet during a file transfer.
This problem may not be felt in communications that send small files back and forth such as general email messages , but when the file sizes increase, the performance pain does as well.
Possible Symptoms Expert Infos Note: Slow Application Some applications are just dog-slow. This could be due to poor or bloated coding, internal errors, or even man-made timers defining the application's performance speed.
Other times, the application is not at fault. The system on which the application is installed may be overloaded and short on resources. In this case it is time for a system upgrade.
Possible Symptoms Large delay in the time. In Part 1: Preparing for Problems, you will review a four-part troubleshooting methodology and troubleshooting checklist, master key Wireshark troubleshooting tasks and focus on your capture techniques. Symptom-Based Troubleshooting, you will analyze numerous trace files to gather symptoms of performance problems and learn what can cause each of the symptoms. Preparing for Problems The time and effort you put into preparing to troubleshoot is as important as the time and effort you put into actually sifting through the packets.
You can save yourself many hours of work, frustration, and distraction by employing a basic four-step troubleshooting methodology, using key Wireshark troubleshooting skills, and applying the proper capture techniques. Chapter 1: Use Efficient Troubleshooting Methods If you've been working in the world of troubleshooting for a while, you likely have a tried and true method for detecting the causes of network problems. In this chapter we will focus on a basic four-part methodology for troubleshooting networks based on traffic: Task 1: Define the problem Task 2: Collect system, application and path information Task 3: Capture and analyze packet flows Task 4: Define the Problem "The network is slow" is a common complaint from network users.
This vague description will not help you to hone in on the problem. When a user complains about performance in such a general way, we need to ask some questions to focus and prioritize our troubleshooting tasks.
Here are sample questions that you might ask a network user before capturing or analyzing a single packet. What were you trying to do? Are you troubleshooting a file upload, file download, login, email send, email receive, database update, or something else?
What type of traffic will you be looking for? Do you have an address upon which to filter? What are the symptoms? This is my attempt to get past "the network is slow" self-diagnosis often offered. You want to know if this is a problem loading a specific page, running a specific application, or a recurring problem for a specific user.
Did you receive any error message? The error might tell me the exact problem. Is this happening all the time? Can your complaining user reproduce the problem so you can capture the traffic right now, or do you need to start an ongoing capture to catch the issue at some point? There are so many questions that one can ask to get a feel for the problem—we just need to get past "the network is slow" generic complaint.
Task 2: Collect System, Application and Path Information Obtain as much system, network and infrastructure information as possible. This will help put a framework around the tasks at hand. I've hit a number of problems over the years with various operating systems, applications and interconnecting devices. If I know a certain version of a firewall is causing problems during the TCP handshake, this might be an issue to consider if the customer is using that product.
Here are some sample questions that you might ask a customer about their configuration. What application and version is running? Describe the network path that the traffic must traverse. Sometimes the person you will speak with does not have this information. In that case you might not be talking with the right person or the customer really doesn't know their network. Capture and Analyze Packet Flows This is the focus of this book.
Anyone can play and the more you practice, the better you will be. Capture Location Tips I am a firm believer in capturing as close as possible to the complaining host first if possible. I want to see the traffic from that host's perspective.
I want to examine the roundtrip time to the target s , the TCP handshake establishment process if used , indications of network problems, background traffic to which the host must listen, and more. Capturing as close as possible to the complaining host will allow me to focus in on relevant traffic without having to apply a capture filter.
Why do I avoid spanning switch ports? First, the switch might be part of the problem. Second, switches have enough to do these days—I do not want to burden them further with spanning functions. An oversubscribed switch may not be able to forward all the traffic and therefore my trace file is not complete.
Third, some switches just do not do spanning very well. On a high traffic network, consider using a command-line capture tool such as tcpdump or dumpcap. These tools require few resources and can be deployed for remote capture without installing the entire Wireshark application.
You can use these streamlined tools for capture and then open the trace files in Wireshark for the analysis process. Analysis Process Tips Remember, analysis is more like a game than an art form—practice, practice, practice. Review Use a Troubleshooting Checklist. Here are some quick tips for analyzing efficiently: Know what is "normal.
See Tips for Faster Problem Detection. Remove unrelated traffic from view use an exclusion filter. Focus on traffic related to the complaining user's machine use an inclusion filter and possibly Export Specified Packets to a new trace file. See Filter on a Host, Subnet or Conversation. Verify your trace file is usable no problems during the capture process. Verify basic host connectivity.
We will add many of these buttons in Part 2: Symptom-Based Troubleshooting. Sort or filter for delays increase in general or UDP delta times. Examine the Expert Infos errors, warnings and notes. Create a "Golden Graph" to prioritize throughput drops. Refer to Use a Troubleshooting Checklist for a more complete list of analysis tasks. Task 4: Consider Other Tools Wireshark is an amazing packet analysis tool.
There are, however, some functions that it does not offer and other functions that it just does not do very well. In some cases you may need to work with another tool once you have hit a Wireshark limitation. One example of a Wireshark limitation is seen when you work with large trace files. Try to keep your trace files under MB maximum size. Anything larger and Wireshark becomes too slow and at times, unstable. This problem is worse when you add coloring rules, columns and additional protocol processing requests to Wireshark.
The following list includes some tools to consider when analyzing trace files: Cascade Pilot offers numerous Views that you can apply to trace files to visualize traffic characteristics. You can simply click and drag across the timeline to export a subset of interesting traffic to Wireshark for further analysis.
Cascade Pilot also includes an impressive reporting feature. A sample analysis report from Pilot is included in this book's supplement file set. TraceWrangler created by Jasper Bongertz and available at www. Demonstrated at Sharkfest , TraceWrangler is now de facto trace file editing tool. See Use TraceWrangler. Use a Troubleshooting Checklist I have a basic troubleshooting checklist albeit in my head that I run through each time I open a trace file.
The order in which I go through the checklist may change depending on the troubleshooting issue UDP-based application troubleshooting vs.
TCP-based application troubleshooting for example. Consider expanding this checklist to suit your needs. A PDF version of this checklist is available with the book supplements at www. Verify traffic from the complaining user's machine is visible. If not… Ensure the host is running. Test the host's connectivity Can it communicate with another host? Recheck capture location and process. Consider a resolution problem. Focus on Complaining User's Traffic Filter on related traffic such as tcp.
Filter out unrelated traffic such as! Export related traffic to a separate trace file File Export Specified Packets. Sort and identify high TCP delta times tcp. Capturing at client: Use Wireshark's response time function if possible such as dns.
Measure client latency How long did it take for the client to make the next request? Click on low throughput points to jump to problem spots in the trace file. Look at traffic characteristics at low throughput points. Consider using an Advanced IO Graph to detect delays such as tcp.
Check Check for ICMP messages. Check for IP fragmentation. TCP-Based Application: Consider number of errors, warnings and notes Consider impact of each item Check the Calculated window size field values tcp. UDP-Based Application: Identify Communication Issues Look for unsuccessful requests. Request, no answer Look for repeated requests. Spot Application Errors Filter for application error response codes such as sip. Master these Key Wireshark Troubleshooting Tasks Become comfortable with the troubleshooting tasks in this chapter.
You will use them repeatedly to find the cause of poorly performing networks. In addition, consider mastering the tasks covered in Wireshark That book includes another set of 43 hands-on labs to enhance your network analysis skills. Create a Troubleshooting Profile With the exception of a few default coloring rules and expert notifications, Wireshark is not customized to be used for in-depth troubleshooting.
Wireshark is a piece of clay. You can mold it into an ideal troubleshooting tool with very little effort. Appendix A provides step-by-step instructions on creating a troubleshooting profile. You do not have to be a Wireshark wizard to perform these steps. You just need to set aside about 15 minutes to go through the customization process. If you do not have time to build a custom profile, Appendix A also includes step-by-step instructions to import a troubleshooting profile that is part of this book's supplement set.
Until you create a new profile, you are working in Wireshark's Default profile. The profile you are working in is shown in the right side column of the Status Bar. Wireshark Lab 1: Create Your Troubleshooting Profile You can create profiles to customize Wireshark with buttons, colors, and more. You can create separate profiles for different needs. You can quickly switch between profiles depending on your needs. In this lab we will build our Troubleshooting Book Profile and customize this profile in various labs in this book.
Step 1: Right-click the Profile column on the Status Bar. Step 2: In the Configuration Profile window, select New. Step 3: Click the arrow in the Create from area, expand the Global section and select Classic. This profile uses the most vibrant colors. Step 4: Click OK. Once you create your new profile, the Wireshark Status Bar indicates that you are working in the Troubleshooting Book Profile, as shown below. You will add capabilities and customization to your new Troubleshooting Book Profile as you follow along with the labs in this book.
Remember that you can also jump to Do It Yourself: Build Your New Troubleshooting Profile and learn to build a complete troubleshooting profile yourself. You can add columns to display additional information about packets to speed up your analysis process. In the example below we have added five columns to display the time between packets in each TCP conversation: TCP delta tcp. DNS Delta dns. HTTP Delta http. Stream Index tcp. WinSize tcp. All of these columns were added using the right-click method, which is the fastest way to add new columns.
In the next lab and in many of the labs in this book , you will add key columns to the Packet List pane and sort the columns to find problems in the trace file. Wireshark Lab 2: Open tr-httpdelta. Packets are TCP handshake packets. Select Packet 6 in the Packet List pane and then, in the Packet Details pane, click the button in front of Hypertext Transfer Protocol to expand the section. Many of the trace files used in this book will indicate they contain bad IP checksums if you have Wireshark's IP checksum validation feature enabled which is the default setting.
The packets appear with a black background and red foreground in the Packet List pane and a red highlight appears on the Internet Protocol line in the Packet Details pane. In this trace file, and many others, Wireshark is capturing traffic on a host that supports "task offloading.
To remove these false "bad checksum" indications, you will disable checksum validation in Wireshark Lab Select Apply as Column. Wireshark places the new Time Since Request column to the left of the Info column. Right-click on this new column heading and select Edit Column Details.
Step 5: Wireshark indicates there is a 2. Step 6: To restore this hidden column at any time, right-click on any column header, select Displayed Columns and select the column to restore. Profile column settings are saved in the profile's preferences file. To locate this file, select Help About Wireshark Folders and select the hyperlink to your personal configuration folder.
The profile's column settings are listed under the User Interface: Columns heading. User Interface: Columns Packet list hidden columns List all columns to hide in the packet list. R Packet list column format Each pair of strings consists of a column title and its format gui. In addition, the resolution is set to nanoseconds regardless of whether the packet timestamps contain that level of precision.
Wireshark Lab 3: Set the Time Column to Detect Path Latency This trace file contains a web browsing session and was captured at the client. Open tr-australia.
We will change this column setting so we can quickly measure the delta time between displayed packets. Use this delta time to obtain a snapshot of the round trip time between a client and as server.
This trace file begins with a DNS query and response. TCP connection establishment begins in Packet 3.
It appears the round trip time is milliseconds ms. Is ms a good or bad round trip time? The answer depends on what is normal round trip time for that path. If the round trip time is usually 43 ms, this is a large round trip time.
What can you do about large round trip times? For example, a firewall with an exorbitant number of rules can affect network response times. If the delay is incurred outside your network infrastructure such as along a path through the Internet , there is not much you can do. Filter on a Host, Subnet or Conversation If you capture traffic at the server or inside the network infrastructure, your trace file may contain conversations between many hosts on the network.
If you are interested in the traffic between a specific client and server, you can apply a display filter based on a host address, a subnet address or a conversation. Filtering based on addresses is a skill that you will use quite often.
In the next lab you will first examine Wireshark's address resolution details and then filter on a subnet address used by cnn. Wireshark Lab 4: Extract and Save a Single Conversation Step 1: Open tr-cnn. This trace file contains numerous conversations. We are going to extract the conversations between the local client and cnn.
Let's begin by looking at the name resolution information that Wireshark extracted from the trace file. Select Statistics Show Address Resolution. We can see the servers in the cnn. Click OK to close the Address Resolution window. In the display filter area, enter ip. Click Apply. The Status Bar indicates that packets match your filter. This filter is ideal if you want to focus on all conversations to and from the cnn.
Select File Export Specified Packets. The Displayed radio button is selected by default, as shown below. Name your file tr-cnntraffic. Click Save. We will continue working in tr-cnn. Next we will use the right-click method to apply a display filter to a single conversation.
Fifty-five packets should match this filter. Name your file tr-cnnconv1. Step 7: Click the Clear button to remove your display filter. Oftentimes it is easier to save the traffic from an interesting conversation to a separate trace file and work with just that traffic rather than analyze a larger file with unrelated traffic and potential distractions.
Filter on an Application Based on Port Number There are two ways to define a display filter on an application in a trace file—you can filter based on the application name if known to Wireshark or the port number in use.
If an application is UDP-based and Wireshark offers a filter based on the application name, you can simply filter based on that application name. For example, the filter tftp works fine for viewing all TFTP traffic. For example, the filter tcp. Wireshark Lab 5: We will use a port-based filter to view the FTP data transfer connection established by Open tr-twohosts.
First, let's filter on all traffic to and from Enter ip. Replace your address display filter with tcp. The Status Bar indicates that 28, packets match this filter. Let's contrast this with a display filter based on an application name.
Replace your TCP port filter with ftp-data and click Apply.
Troubleshooting with Wireshark Book Description:
It is important to see how the application's underlying TCP connection was established as well as maintained. Since UDP-based applications do not have any transport layer overhead such as connection establishment and tear down traffic , you can use an application name display filter and see all traffic related to that application. Filter on Field Existence or a Field Value There will be many times when you want to identify packets that contain a specific field or a specific field value.
For example, the display filter http. This field is only used in HTTP requests. The display filter dns. The dns. If you know the field name in which you are interested, you can simply type it into the display filter area.
Alternately, if you have a packet that contains that field you can right-click on the field and select Apply as Filter place in the display filter area and apply immediately or Prepare a Filter place in the display filter input field only, but do not apply. You may want to use Prepare a Filter to check the filter syntax first, edit the filter, or add to the filter to create a compound filter with more than one condition.
The right-click method will always create a filter based on the field value in the packet. Wireshark Lab 6: We will create a filter to display all packets that contain this field. Open tr-winsize. When you click on the Request Method: GET line, the Status Bar provides the name of this field—http.
Type http. One packet matches the filter. This quick filter method can be used when you are interested in determining how many HTTP requests were sent to a server. You can expand this filter to include an IP address to focus on requests to or from a single source, if desired. For example, ip. If Wireshark Lab 7: This Window Size field value may be multiplied by a scaling factor if Window Scaling is in use. Since Window Scaling problems are not uncommon, this is time well spent.
If the advertised buffer space drops to zero, the host cannot accept any more data—a Zero Window condition has occurred. Change the display filter value to tcp. Your filter displays Packet when the client is advertising a byte receive buffer area. This value will stop the TCP peer from transmitting data if it has more than bytes of data queued up to transmit. Let's see if this low Window Size value is affecting the file transfer process. Click Clear to remove your filter. Notice the delay before the Window Update packet in this trace file Packet Essentially, the server could not transmit the full-sized packet because the client only had bytes of buffer space available.
The server had to wait until the client's buffer size increased the Window Update packet. For more information on Window Updates, see Window Update. Window Size problems have been plaguing networks for the past several years.
Identify TCP Issues. To filter out traffic based on an application name, simply precede the application display filter name with an exclamation point! For example, to remove ARP from view, use! There are two methods you can use to exclude traffic based on a field value. One method uses the! The other uses the! Each of these methods is used in the examples below. Use the second method! Correct Display Filter! Wireshark Lab 8: Filter Out Applications and Protocols In this lab you will remove a set of applications and protocols from view.
We will filter these from view to determine what other traffic is seen on this network. Open tr-general. In the display filter area, type! There are 40 packets that match this filter. Eight packets are displayed. The displayed packets indicate there are two hosts running Dropbox on the network. This process of filtering out traffic is especially useful when you are analyzing traffic during idle time —when no user is at the keyboard.
The traffic indicates background processes that run without user interaction. This is a great baseline to create. For more information on creating baselines, see Tips for Faster Problem Detection. These buttons can be created and used to quickly apply display filters to your traffic to identify common network problems. These are two options that enhance TCP's performance by reducing the number of retransmissions after packet loss SACK and increasing the advertised receive buffer space above the 65, byte value Window Scaling.
Wireshark Lab 9: Open tr-smbjoindomain. Packet 11 is the first SYN packet in the trace file. We will build the filter first and then turn the filter into a filter expression button. Right-click on the SYN: Set line and select Prepare a Filter Selected.
Wireshark places the first part of the filter in the display filter area. Scroll down to the TCP Options area. True line. Notice the syntax for this field is listed in the Status Bar area—tcp. We are interested in TCP handshake packets that do not contain this value. Let's just type the last portion of the filter—we want to know if the Window Scaling multiplier is missing in these SYN packets.
The connections established by these packets will not support all the desired TCP functions. Don't forget to clear your filter when you are finished reviewing the results of this lab step. Leaving these parentheses out may give you unexpected results because logical OR is evaluated before logical AND.
As recently as Wireshark 1. The filter would be tcp. Try this yourself on tr-general. Compare the results of these three display filters: The Expert Infos definitions are contained in the dissectors. For example, the TCP dissector packet- tcp. Wireshark Lab Click the Expert Infos button in the bottom left corner of the Status Bar. The Expert Infos window is divided into six tabs: Checksum errors, dissector failures Warnings: Potential problems detected Notes: Symptoms of problems; typically recovery processes Chats: TCP connection overhead handshake, Window updates, disconnects Details: List of all packet comments in the trace file Step 3: If IPv4 checksum validation is disabled the recommended setting , there are no Expert Infos Errors in this trace file.
Toggle back to the Expert Infos window. Click the Warnings tab. Click the in front of each section to view the packets that are tagged with a particular Expert Infos indication. Click on a packet to jump to that location in the trace file. There are instances of possible packet loss in this trace file. Since packet loss impacts throughput, this is likely causing some performance problems. For more details on packet loss, see Previous Segment Not Captured.
Out-of-order packets may not be causing a noticeable delay in communications. See Out-of-Order Packets for more details.
Troubleshooting with Wireshark
Click the Notes tab. Duplicate ACKs are sent by a receiver to request a missing packet. As you scroll through this list you will notice that the receiver sent Duplicate ACKs to recover a missing packet. The high rate of Duplicate ACKs may be caused by a very high latency path or a brief connection outage. Click the Count column heading twice to sort from high to low and you will notice there are over 1, Retransmissions in this trace file. Certainly packet loss and the resulting retransmissions appears to be plaguing this communication.
Click Close to shut down the Expert Infos window. The Expert Infos window offers a quick way to locate and jump to communication problems in the trace file. Symptom-Based Troubleshooting you will create numerous filters and filter expression buttons based on these Expert Infos items. Change Dissector Behavior Preference Settings Some of Wireshark's predefined preference settings are not ideal for troubleshooting. For example, the Allow subdissector to reassemble TCP streams preference is enabled by default, but there are many times when you will want this disabled—such as when you are measuring HTTP Response Times http.
Many labs in this book refer to TCP preference settings that should be changed to troubleshoot more efficiently.
In the next lab you will compare results when the Allow subdissector to reassemble TCP streams preference setting is enabled and disabled. You will use the right-click method to quickly change this TCP preference. You will also see how this setting affects the http. Open tr-youtubebad. At the start of this trace file we see a TCP handshake Packets Unfortunately, you cannot see the Response Code in the Info column for Packet 6 because the Allow subdissector to reassemble TCP streams preference setting is enabled.
The Response Code is visible on Packet 29,—the packet containing the last bytes of the requested item. A hyperlink to the response packet is located at the bottom of the HTTP section.