WireShark Training

Ray Tompkins, Analysis Solution

ray.tompkins@analysissolution.com
© 2007 www.analysissolution.com
Brought to You By: Analysis Solution
 Onsite Network Analysis and Services
 Analysis Solution provides network analysis and service. Our skills with network
protocols, LAN, WAN, Wireless environments and applications allow us to
diagnose and define the problem, then apply the corrective action. During this
process our goal is to mentor your staff with the information that we gathered
and understanding the skill of "How We Obtained The Results".
 Network Analysis Training
 Training class providing a detail view of protocols, in how they flow through the
network. You will never look at packets the same again. This fascinating view
through an analyzer reveals "How Things Really Area" revealing what mysteries
lie hidden on the wire. Key concepts, from actual measurements of through put
and performance, to knowing if devices in the network are dropping packets,
gives precise information before making the call "Houston We Have A Problem".
 The goal of the course is to empower the analyst, with advanced troubleshooting
techniques. These techniques are advanced in nature but taught so they can be
processed for use is diagnosing the problems. The attendees will walk away with
the confidence that "I can solve this problem, let me at it".

For more information contact: Ray Tompkins,

ray.tompkins@analysissolution.com
Phone 832 643 5871
© 2007 www.analysissolution.com
Capture Interface

© 2007 www.analysissolution.com
Capture Interface

If you want to capture data frames with your wireless card, or if

you do not see the Packets counter increment, Go to
your options and uncheck the “Capture packets in
promiscuous mode”

© 2007 www.analysissolution.com
Notes From The Field
We have complied a list of filters, organized them by type. They can be download from
our web site.

Capture Filters Sources:

 Go to http://www.analysissolution.com Tech Notes WireShark
 You will find instructions and other helps tips for WireShark

 Note of Interest Update June 2007

 As of Release of WireShark 99.6 the Capture Filter file cfilter was moved within the application
 to c:/programs/wireshark/cfilter

 If you have comments or suggestions or wish to share a filter please email to

tech@analysissolution.com

 Ray Tompkins
 www.analysissolution.com

© 2007 www.analysissolution.com
Capture Filter Reference
Command Description
ether host MAC address Capture all packets to and from a MAC address

IP Filters

host ip address Capture all packets to and from an ip address

src host ip address Capture all packets from an ip address

dst host ip address Capture all packets to an ip address

TCP/UDP Filters

port port Capture all packets to and from a port number

src port port Capture all packets from a port number

dst port port Capture all packets to a port number

IP Network Filters

net net Capture all packets to and from a net

src net net Capture all packets from a net

dst net net Capture all packets to a net

© 2007 www.analysissolution.com
Capture Filter Examples
 Capture only DNS frames
 port 53
 Capture HTTP and DNS frames
 port 80 or port 53
 Capture all IP traffic
 ip

© 2007 www.analysissolution.com
Capture Options – Stop Capture Frame
 This frame allows you to control when WireShark will stop capturing.
 This will not save to a file.
 If multiple options are checked, the first condition it reaches, will stop the analyzer.

Filters are contained in this file

C:\Documents and …….\Application Data\WireShark\cfilters
** If you choose to create your own cfilters file, remember to
leave the last line in this file blank.

© 2007 www.analysissolution.com
Capture – Capture Filters
 This screen allows you to Add or Delete Capture filters

Make the Filter name and Filter string the same to avoid confusion
1

Filters are contained in this file

C:\Documents and …….\Application Data\WireShark\cfilters
** Remember to leave the last line in this file blank..

© 2007 www.analysissolution.com
Edit -> Preferences -> Columns

This screen allows you to add or move

columns around.
For consistency, I always recommend you
name your columns the same as the
descriptions noted in the ‘pull down’
menu.

© 2007 www.analysissolution.com
WireShark Screen Layout

 Filename Of Current Trace File

© 2007 www.analysissolution.com
„Sorting Columns‟
Output is Sorted By Frame No By Default

Click Info Header

© 2007 www.analysissolution.com
Neat Feature – „Drag and Drop‟
 You can now drag and drop a file from Windows Explorer directly into WireShark.

© 2007 www.analysissolution.com
Conversation List
 You can now see a list of all the TCP, IP or MAC addresses.
 You leave this screen up while capturing to see this in real time.

© 2007 www.analysissolution.com
Resize Column

© 2007 www.analysissolution.com
Statistics: Neat Feature – „Conversation List‟
 You can now see a list of all the TCP, IP or MAC addresses.

© 2007 www.analysissolution.com
Statistics: Flow Graph

© 2007 www.analysissolution.com
Statistics: Conversation

© 2007 www.analysissolution.com
Statistics: Conversation continued

© 2007 www.analysissolution.com
Analyze: Expert Info
 Expert information shows a summary of Errors, Warning.

© 2007 www.analysissolution.com
Analyze: Display Filters
 Display filters can be applied from the previous list or create new filters.

© 2007 www.analysissolution.com
Analyze: Follow TCP Stream
 Follow TCP streams can be between IP address or entire conversation
 Traffic from A to B is marked in Red and from B to A is marked in Blue

© 2007 www.analysissolution.com
Analyze: Expert Info Composite
 Expert information composite not only displays errors, warnings, notes and Chats
 By clicking the Packets number allows you to jump to the packet within the trace.

© 2007 www.analysissolution.com
Case Study: “Please Open The Window”
 This case study a nightly server backup is not being completed in the allowed time. A
production server for an major oil company that contains seismic data for oil
research. Important information that needs to be backup. This information is the
important asset of company. It is also a very large amount of data.

 Configuration: Production server connects to a Gigabit Ethernet connection. It

connects to a Cisco router 6509, and on the same blade another Gigabit Ethernet
connection to the backup server.

 Each part of the team, server, application and network personnel have work hard to
determine what could be the problem. The application logs have been reviewed, the
server team has review both logs for each sever. Also the network team has looked
at each interface for errors, searched through the router logs, but all have found
nothing that identifies the problem.

 At the request of Analysis Solution a trace was taken. The following indicates the
results.

© 2007 www.analysissolution.com
Case Study: “Please Open the Window”

 Analysis: The receiving server was chocking on the data, unable to get the
information written to the disk drive.

 Solution: Higher speed disk drives where installed. This increased the performance
of the Back Up server allowing it to keep up with the network and Production server.

 See the following trace file and also the graphs that show the Window Size being
advertised by the Back Up server.

© 2007 www.analysissolution.com
Case Study: “Please Open the Window”
 Figure 1:1 Trace File Results (good through put with large packets size), we see
good through put, with su window size, item B.

 Figure 1:2 Trace File Results (window size has changed to Zero)
 In packet 377, item C the source IP address, item D is sending a window size of
Zero, see item E.

© 2007 www.analysissolution.com
 0
1000
2000
3000
4000
5000
6000
7000
8000
9000
4:01:17 PM 10000
4:01:30 PM
4:01:55 PM
4:02:05 PM
4:02:16 PM
4:02:28 PM
4:02:38 PM
4:02:48 PM

© 2007 www.analysissolution.com
4:02:54 PM
4:03:02 PM
4:03:09 PM
4:03:16 PM
4:03:30 PM
4:03:54 PM
4:04:12 PM
4:04:29 PM
Case Study: “Please Open the Window” Window Size

4:04:44 PM
4:05:01 PM
Case Study: “Please Open the Window” Disk Drive Upgraded

10,000
9,000
8,000
7,000
6,000
5,000
4,000
3,000
2,000
1,000
0
2:51:50
2:51:51
2:51:52
2:51:52
2:51:53
2:51:53
2:51:54
2:51:54
2:51:55
2:51:55
2:51:56
2:51:56
2:51:57
2:51:57
2:51:58
2:51:58
2:51:59
2:51:59
© 2007 www.analysissolution.com
Question and Answer: Simulation Traffic Tools
Question: What tools are available for generating traffic to simulate traffic or data through
put?

Answer: One tool that is free is IPERF. It loads on each end, source and destination.
This could be PC to PC, or Server to PC, and then you run the through put bench
marks. I use it in classes that I teach where we run several bench mark tests. Here
where to find the tool and notes on how to use it.

© 2007 www.analysissolution.com
Question and Answer: Performance Tools cont.
IPERF (free)
 Very handy FREE throughput tester. Using it is quick and easy;
 Simply download IPERF http://dast.nlanr.net/Projects/Iperf/
 Unzip into a folder on two pc's
 Go to one PC and type iperf -s at the command prompt. This is a server
 Go to the other PC and type iperf -c server_ipaddress
 Other examples;
 to run the iperf utility as a server service by typing
iperf -s -D
 to conduct an upload type
iperf -c server_ipaddress
 to conduct a separate upload and download type
iperf -c server_ipaddress -r
 to conduct a simultaneously upload and download type
iperf -c server_ipaddress -p

Chariot from IXIA

 http://www.ixiacom.com/products/display.php?skey=ixchariot

SmartBits
 http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&w
t=2

© 2007 www.analysissolution.com
Question and Answer: Case Studies
Question: Can you recommend where to get case studies?

Answer: There are several books that contain case studies. I have listed them below for
your reference. Also visit my web site www.analysissolution.com I‟m in the process
of adding PCast. They are 10 minutes in length and cover various topics, all focused
on Protocol Analysis.

 Network Analysis and Troubleshooting

J. Scott Haugdahl
ISBN 0-201-43319-2

 Optimizing Network Traffic

Microsoft Press
ISBN:: 073560648X

© 2007 www.analysissolution.com
Question and Answer:
Question: What type of triggers are available for WireShark-Ethereal?

Answer: WireShark-Ethereal states that the only triggers are to Stop under the flowing
conditions and to Restart.

Stop Capture:
 Stop the capture on different triggers like: amount of captured data, captured time, captured
number of packets.
Restart a Running Capture:
 A running capture session can be restarted with the same capture options than the last time, this
will remove all packets previously captured. This can be useful, if some uninteresting packets are
captured and there's no need to keep them.
 Restart is a convenience function and equivalent to a capture stop following by an immediate
capture start. A restart can be triggers in one of the following ways:
 Using the menu item "Capture/ Restart".
 Using the toolbar item "Restart".
Further Notes:
 You can reduce the amount of traffic captures by using capture filters.
 You can also capturing into multiple files while doing a long term capture, and in addition the
option to form a ring buffer of these files, keeping only the last x files, useful for a "very long term"
capture.

© 2007 www.analysissolution.com