WireShark Training

(formerly Ethereal)
Christophe PLANTIN, Regional Service delivery EMEA / NDIO
V1.03
agenda
introduction

capturing a trace

reading a trace
customize the workspace
display filters

advanced features
I/O graphs
TCP: time/sequence graph
HTTP analysis
Streaming analysis
Unexpected traffic
PdP context activation time
2
 introduction
use cases
Wireshark is a network sniffer that can capture and decode pretty much all types of
protocols on all types of networks.
It is a first step in understanding what happens and troubleshooting network issues.
The main features are:
Capture from different network types (Ethernet, ATM)
The capture can be performed directly from the machine that sends or receives the packets, or
anywhere in between providing that the traffic is redirected to a machine running WireShark.
File decoding from many formats, including:
default format used by WireShark (*.cap, *.pcap)
RADCOM Wan/LAN analyzer (*.*)
Tektronix K12xx 32bit (*.rf5)
Microsoft NetMon 1.x et 2.x (*.cap)
File export to many formats, including:
Microsoft NetMon 1.x et 2.x (*.cap)
CSV (Comma Separated Values packet summary) to be opened with MS.Excel
Almost all protocols are detected and decoded:
TCP/IP and all typical internet protocols (FTP, HTTP, ICMP, UDP, RTP, RTSP etc.)
3
 introduction
download and install
URL for software download: http://www.wireshark.org/download.html
On top of Wireshark, WinpCap is necessary to capture data (included in the
package)
The installation is straight-forward: Wireshark and WinpCap are installed one
after the other. If you do not have administrator rights, then remember to install
WinpCap as a service to be able to capture network traces.

Several useful tools are also included in the package:

Tethereal: same as Ethereal but command-line style
Editcap: pcap file modifications, e.g. format change or time offset
Text2pcap: from one text file (with specific format) to pcap file
MergeCap: merge several pcap files into one.

Recommandation: Include Wireshark install path in the default system path (System properties /
advanced / environment variables) to use the tools above more easily in command line.
4
agenda
introduction

capturing a trace

reading a trace
customize the workspace
display filters

advanced features
I/O graphs
TCP: time/sequence graph
HTTP analysis
Streaming analysis
Unexpected traffic
PdP context activation time
5
capturing a trace (1/4)
Any interface or network socket that is associated to an IP@ may be
captured: LAN interface, PPP, extranet (VPN)
Warning: the trace can only start after the IP@ allocation, i.e. after PDP
context activation, or after DHCP negociation.

The interfaces seen by Wireshark

are available with capture / interfaces

The active interfaces can be spotted easily by looking at the number of

packets sent/received (some traffic is visible on the LAN below):
A capture can be started
directly (Start) or through
Options submenu
(see next slide)
6
capturing a trace (2/4)
capture Options
1
1- Choose the network interface.
(typically generic dialup or
PPP interface )
2- Limit the packet size - useful to
2
capture only headers during long
captures (120bytes would be good 3 5
for FTP/TCP headers)
3- Specify the a name; you may
also split long captures
4- and define conditional stop.
5- Display: useful to check if tests
are running well. 4

Tick all in Display section (5)

and check that the packets are
visible in real-time during the test.

Capture size: If you capture the full packets, a capture performed during an
7
FTP transfer of a 10Mo file will be 10Mo.
capturing a trace (3/4)
filtering during the capture
Only the packets verifying
the filter rule will be kept.
A filter includes:
a protocol (Ether, TCP, UDP)
a direction (Src, Dst)
a field like host, net, port
a value
Operators and, or & not may be
used to combine different filters.

Examples : You may also use

predefined filters by
udp port 53 clicking on
only keeps UDP packets to / from port 53
Capture Filter
udp port 53 and dst host 172.16.0.1
only keeps UDP packets to / from port 53
going to host 172.16.0.1
host 172.16.0.1 and tcp
8
only keeps TCP packets to / from host 172.16.0.1
capturing a trace (4/4)
saving the capture
To save the capture in itself, simply use file / save.
All the content of the packets will be saved.
You may chose to save the packets displayed only (see display filter in next slides)

To export into CSV format: use file / export / file

Then select .csv as the file type
In that case, not all the content of the packets will be saved:
you may choose what to export
(typically the packet summary line is enough)
The result may be opened with excel for light post processing.

[NEW] export objects: file / export / objects

In the latest version of Wireshark, you may even
save any content sent in HTTP
example: extract the html body of a web page captured,
9
or some particular jpg image.
agenda
introduction

capturing a trace

reading a trace
customize the workspace
display filters

advanced features
I/O graphs
TCP: time/sequence graph
HTTP analysis
Streaming analysis
Unexpected traffic
PdP context activation time
10
 reading a trace (1/5)
customize the workspace
 Main window

List of packet
captured
(1 line = 1
packet)

Protocol layers
of the packet
selected above

Rough content
of the packet
selected above
(HEX) 11
 reading a trace (2/5)
customize the workspace
 Different colors may be associated to different protocols or protocol fields
 Coloring rules
can be edited

12
 reading a trace (3/5)
customize the workspace
>Edit / Preferences allows to modify the main window, and in particular to add some
columns. It is advised to add column for:
- Src port / Dst port: to identify the protocol clearly, or to analyze web performance when
several ports are opened simultaneously
- Length: to easily differentiate big packets (likely to be user data) and small packets (likely to
be signaling, or ACK)

>View / Time Display Format allows to modify the time display according to 2 main
categories:
- Absolute time display
- Relative time display: from the beginning of the capture, or from last captured packet.

>Edit allows to set a marker to any selected packet, for instance:

- Mark Packet highlight the packet to get back to it quickly afterwards
(you may also keep track of the packet number and use Go / Go to Packet)
- Set Time Reference. The time from the beginning of the capture will now refer to this
packet. This allows to compute procedure duration easily (e.g. Set Time Reference to the first
SYN of a web page and check the full download time at the last packet of the page)

13
reading a trace (4/5)
display filters
>Faster analysis by displaying only interesting packets.
>The rest of the packets is not lost (on the contrary to Capture Filters)

>Type the rule directly or use the

assistant by clicking Expression

>Operators of comparison may be

used: == (equal), != (different) etc.

>Boolean operators may also be used

(AND, OR, XOR, NOT) to combine
filters

14
 reading a trace (5/5)
display filters
 Examples:
>ip.addr == 10.127.10.12
- displays all packets with IP 10.127.10.12 (src or dst)
>ip.addr == 10.127.10.12 OR ip.addr == 10.127.10.13
- displays all packets with IP@10.127.10.12, 10.127.10.13, or both.
>udp.scrport > 9046
- displays UDP packets whose source ports is strictly above 9046.

>WARNING, some expressions may be misleading:

>ip.addr != 10.127.10.12
- displays all packets which do not contain 10.127.10.12 ? NO!
- it means: display the packets where at least one of the IP fields (i.e. src or dst) is
different from 10.127.10.12 . So this is TRUE FOR ALL PACKETS
- the right expression is not(ip.addr == 10.127.10.12), or !(ip.addr == 10.127.10.12)
meaning: displays all packets where the fact that one IP field is 10.127.10.12 is not true

15
agenda
introduction

capturing a trace

reading a trace
customize the workspace
display filters

advanced features
I/O graphs
TCP: time/sequence graph
HTTP analysis
Streaming analysis
Unexpected traffic
PdP context activation time
16
 advanced features
I/O graphs
>Statistics / IO Graphs displays a graph of packet numbers, or bytes, per time unit.
- The throughput is easily obtained with tick interval = 1s and unit: Bytes / tick
- the graph is updated in real time during the capture

>Some filters may be used to draw only a part of the traffic, for instance:
- throughput per protocol (FTP, HTTP,) or per TCP ports (e.g. in case of parallel download)
- throughput per direction or IP address, e.g. DL & UL traffic as displayed below

During FTP DL
transfer, the UL
Throughput Number of packets
throughput is
almost null but a
significant
amount of packet
is sent in UL
(TCP ACK)

17
advanced features
TCP: time sequence graph
>When selecting a TCP data packet and using
Statistics / TCP Stream Graph / Time Sequence Graph,
we have access to a very powerful tool to analyse
and troubleshoot TCP performance.

>The sequence number of the TCP packet

(i.e. amount of bytes received) is displayed
RWIN
TCP segments
depending on the time.
-TCP behavior (slow start), parameters
(RWIN) or potential issues
(retransmissions) may be visually observed.
-For more details about time-sequence graphs
and TCP mechanisms, refer to
TCP ACK
FTP_generic_optim
18
 advanced features
HTTP: web performance analysis
 Understand and troubleshoot web performance

>Analyse / Follow TCP Stream

Also available with right-click
- Extract and decode all the traffic
sent/received on a specific TCP port.
- Easily see the options used in the
headers for HTTP requests & responses.
- Easily see if several objects are
received on the same TCP port, etc.

>Statistics / HTTP
- 3 menus are available to compute
the statistics per domain, address, or
HTTP response code (e.g.: number of
404 not found)

> Refer to HTTP diagnostic

guidelines for more details
about HTTP behaviours and
performance drivers.

19
advanced features
streaming analysis: how to handle UDP?
>Video streaming (Live TV) is transferred over RTP/UDP.
>If not automatically recognized, RTP decoding may be forced with
Right Click / Decode As
>Statistics / RTP lists the different RTP streams (usually one for video and one
for audio) and provides stats like packet loss rate.

20
 advanced features
unexpected traffic
 Always check if some unexpected traffic is visible
>Always check if some packets are sent/received without any user action once you are connected.
>Some Spywares may generate traffic without the user consent (example below with TFTP traffic).
A regular PC clean-up is required with anti-spyware software.

>Some Windows services may also generate traffic (search for network locations or printer, clock
update): deactivate these functions as much as possible.

 This unexpected activity may decrease the throughput but also prevent the
device to go to idle radio state. 21
advanced features
PdP context activation time
>Radio messages such as PdP Context Activation Request are sent over the air
only and not directly visible by Wireshark
>but the PdP activation time may be extracted thanks to PPP messages.
- The connection at PPP level between the PC and the modem triggers the PdP activation over the radio

>The duration has to be computed between the 1st PPP Configuration Request
and the last PPP Configuration Ack that allocates an IP address.

22
thank you!