Beruflich Dokumente
Kultur Dokumente
(formerly Ethereal)
Christophe PLANTIN, Regional Service delivery EMEA / NDIO
V1.03
agenda
introduction
capturing a trace
reading a trace
customize the workspace
display filters
advanced features
I/O graphs
TCP: time/sequence graph
HTTP analysis
Streaming analysis
Unexpected traffic
PdP context activation time
2
introduction
use cases
Wireshark is a network sniffer that can capture and decode pretty much all types of
protocols on all types of networks.
It is a first step in understanding what happens and troubleshooting network issues.
The main features are:
Capture from different network types (Ethernet, ATM)
The capture can be performed directly from the machine that sends or receives the packets, or
anywhere in between providing that the traffic is redirected to a machine running WireShark.
File decoding from many formats, including:
default format used by WireShark (*.cap, *.pcap)
RADCOM Wan/LAN analyzer (*.*)
Tektronix K12xx 32bit (*.rf5)
Microsoft NetMon 1.x et 2.x (*.cap)
File export to many formats, including:
Microsoft NetMon 1.x et 2.x (*.cap)
CSV (Comma Separated Values packet summary) to be opened with MS.Excel
Almost all protocols are detected and decoded:
TCP/IP and all typical internet protocols (FTP, HTTP, ICMP, UDP, RTP, RTSP etc.)
3
introduction
download and install
URL for software download: http://www.wireshark.org/download.html
On top of Wireshark, WinpCap is necessary to capture data (included in the
package)
The installation is straight-forward: Wireshark and WinpCap are installed one
after the other. If you do not have administrator rights, then remember to install
WinpCap as a service to be able to capture network traces.
Recommandation: Include Wireshark install path in the default system path (System properties /
advanced / environment variables) to use the tools above more easily in command line.
4
agenda
introduction
capturing a trace
reading a trace
customize the workspace
display filters
advanced features
I/O graphs
TCP: time/sequence graph
HTTP analysis
Streaming analysis
Unexpected traffic
PdP context activation time
5
capturing a trace (1/4)
Any interface or network socket that is associated to an IP@ may be
captured: LAN interface, PPP, extranet (VPN)
Warning: the trace can only start after the IP@ allocation, i.e. after PDP
context activation, or after DHCP negociation.
Capture size: If you capture the full packets, a capture performed during an
7
FTP transfer of a 10Mo file will be 10Mo.
capturing a trace (3/4)
filtering during the capture
Only the packets verifying
the filter rule will be kept.
A filter includes:
a protocol (Ether, TCP, UDP)
a direction (Src, Dst)
a field like host, net, port
a value
Operators and, or & not may be
used to combine different filters.
capturing a trace
reading a trace
customize the workspace
display filters
advanced features
I/O graphs
TCP: time/sequence graph
HTTP analysis
Streaming analysis
Unexpected traffic
PdP context activation time
10
reading a trace (1/5)
customize the workspace
Main window
List of packet
captured
(1 line = 1
packet)
Protocol layers
of the packet
selected above
Rough content
of the packet
selected above
(HEX) 11
reading a trace (2/5)
customize the workspace
Different colors may be associated to different protocols or protocol fields
Coloring rules
can be edited
12
reading a trace (3/5)
customize the workspace
>Edit / Preferences allows to modify the main window, and in particular to add some
columns. It is advised to add column for:
- Src port / Dst port: to identify the protocol clearly, or to analyze web performance when
several ports are opened simultaneously
- Length: to easily differentiate big packets (likely to be user data) and small packets (likely to
be signaling, or ACK)
>View / Time Display Format allows to modify the time display according to 2 main
categories:
- Absolute time display
- Relative time display: from the beginning of the capture, or from last captured packet.
13
reading a trace (4/5)
display filters
>Faster analysis by displaying only interesting packets.
>The rest of the packets is not lost (on the contrary to Capture Filters)
14
reading a trace (5/5)
display filters
Examples:
>ip.addr == 10.127.10.12
- displays all packets with IP 10.127.10.12 (src or dst)
>ip.addr == 10.127.10.12 OR ip.addr == 10.127.10.13
- displays all packets with IP@10.127.10.12, 10.127.10.13, or both.
>udp.scrport > 9046
- displays UDP packets whose source ports is strictly above 9046.
15
agenda
introduction
capturing a trace
reading a trace
customize the workspace
display filters
advanced features
I/O graphs
TCP: time/sequence graph
HTTP analysis
Streaming analysis
Unexpected traffic
PdP context activation time
16
advanced features
I/O graphs
>Statistics / IO Graphs displays a graph of packet numbers, or bytes, per time unit.
- The throughput is easily obtained with tick interval = 1s and unit: Bytes / tick
- the graph is updated in real time during the capture
>Some filters may be used to draw only a part of the traffic, for instance:
- throughput per protocol (FTP, HTTP,) or per TCP ports (e.g. in case of parallel download)
- throughput per direction or IP address, e.g. DL & UL traffic as displayed below
During FTP DL
transfer, the UL
Throughput Number of packets
throughput is
almost null but a
significant
amount of packet
is sent in UL
(TCP ACK)
17
advanced features
TCP: time sequence graph
>When selecting a TCP data packet and using
Statistics / TCP Stream Graph / Time Sequence Graph,
we have access to a very powerful tool to analyse
and troubleshoot TCP performance.
>Statistics / HTTP
- 3 menus are available to compute
the statistics per domain, address, or
HTTP response code (e.g.: number of
404 not found)
19
advanced features
streaming analysis: how to handle UDP?
>Video streaming (Live TV) is transferred over RTP/UDP.
>If not automatically recognized, RTP decoding may be forced with
Right Click / Decode As
>Statistics / RTP lists the different RTP streams (usually one for video and one
for audio) and provides stats like packet loss rate.
20
advanced features
unexpected traffic
Always check if some unexpected traffic is visible
>Always check if some packets are sent/received without any user action once you are connected.
>Some Spywares may generate traffic without the user consent (example below with TFTP traffic).
A regular PC clean-up is required with anti-spyware software.
>Some Windows services may also generate traffic (search for network locations or printer, clock
update): deactivate these functions as much as possible.
This unexpected activity may decrease the throughput but also prevent the
device to go to idle radio state. 21
advanced features
PdP context activation time
>Radio messages such as PdP Context Activation Request are sent over the air
only and not directly visible by Wireshark
>but the PdP activation time may be extracted thanks to PPP messages.
- The connection at PPP level between the PC and the modem triggers the PdP activation over the radio
>The duration has to be computed between the 1st PPP Configuration Request
and the last PPP Configuration Ack that allocates an IP address.
22
thank you!