2015 08 15 LMTV Wireshark tips and tricks

© 2015, The Technology Firm www.thetechfirm.com
Wireshark
Tips and Tricks
Tony Fortunato,
Sr Network Performance Specialist
www.thetechfirm.com

© 2015, The Technology Firm WWW.THETECHFIRM.COM
About Tony Fortunato
 Tony Fortunato is a Sr. Network Performance Specialist with The
Technology Firm (www.thetechfirm.com) who has experience with
training, design, implementation, and troubleshooting networks since
1989.
 Tony teaches or troubleshoots on your network, with your staff and
your tools as part of his customized onsite training service.
 Tony also creates and delivers many vendor technical workshops as
well as webcasts and contributor to various blogs.
 Tony will be teaching a 5 day, “Troubleshooting TCP/IP Networks with
Wireshark" for Global Knowledge in Toronto. -Oct 19 - 23, 2015. The
registration link is under the “..Last Email link” at
www.thetechfirm.com
 Contributes to Lovemytool.com, various Linkedin groups, Garland
Technologies, Fluke Networks, etc….

Purpose of this session
The main goals of this 30 minute session are:
 Introduce the audience to me, Tony Fortunato
 To introduce new users to some fundamental Wireshark tips
 To show some current users Wireshark tips or tricks they not be familiar with
 Find out what other topics people would be interested in for future articles or videos
 Feel free to contact me at www.thetechfirm.com for any future topic suggestions in
case you were not able to watch this real time to provide input
 Many of these notes are from my onsite training sessions.
 Feel free to contact me via the website for a quote for me to come to your office and
provide onsite training or other training options.
3

Many monitor ports do not forward packets
with physical level errors.
Figure out when your laptop drops packets.
Wireshark Analyzer
Mini Hub
To Bridge, Router, Switch,
Backbone
MONITOR/SPAN PORT
Hubs are Half Duplex.
Manually set switch ports
and workstations to match
or ensure there are no
duplex mismatches.
By default, many default
NDIS drivers will NOT
forward physical layer errors
to Analyzer software.
Make sure you understand
how your card behaves
Client 100 Mb
Half Duplex
Make sure that your analyzer can
decode trunk specific protocols and
packets that may exceed the
maximum Packet Size
100 Mb Full Duplex
NT Server
When dealing with large networks
always try to start troubleshooting
from the client.
Use taps to get visibility
into Full duplex links.
Watch Out for Switched Networks and Tool Placement
Wireshark Analyzer
Is your hub
really a hub, or
a switch?
Wireshark Analyzer
Wireshark Analyzer
TAP
TAP

Internet
To capture only remote
traffic, mirror the router port
and filter on the local router
MAC address.
This can be tricky if you are
using load balancing
protocols.
Analyzing Routed Networks
Router

Windows Installation Command Line Option
 If you run the setup file with no options, you get the standard installer
 Helpful command line options;
• /S runs the installer or uninstaller silently with default values.
o Default values are desktopicon=yes and /quicklaunchicon=yes
• /desktopicon installation of the desktop icon, =yes - force installation, =no -
don't install, otherwise use defaults / user settings. This option can be useful for a
silent installer.
• /quicklaunchicon installation of the quick launch icon, =yes - force installation,
=no - don't install, otherwise use defaults / user settings.
• /D sets the default installation directory ($INSTDIR), overriding InstallDir and
InstallDirRegKey. It must be the last parameter used in the command line and
must not contain any quotes, even if the path contains spaces.
Example:
The following will silently install Wireshark without a desktopicon or quicklaunchicon;
• wireshark-setup /S /desktopicon=no /quicklaunchicon=no

 Add a “Shortcut key” to make Wireshark easier to get at.
 In this example, we assign Ctrl + Shift + W to Wireshark
Make It Easier To Launch Wireshark In Windows
Right- Click
Select Properties
Press Ctrl + Shift + W

About your Wireshark
The Folders Tab contains the location of various system files

 Modify your “Shortcut key” to get Wireshark to immediately capture upon startup
 Switches are; -i interface id –k
• "C:Program FilesWiresharkwireshark.exe" -i "DeviceNPF_{1A03831E-139E-4D51-92CB-26359A22BB8E}" –k
or
• "C:Program FilesWiresharkwireshark.exe" -i Interface number –k
 Use tshark –D to determine your interface id
Launch Wireshark & Automatically Start Capturing
Press Ctrl + Shift + W

Starting Wireshark Edit -> Preferences - > User Interface

Starting Wireshark Edit -> Preferences - > Layout

Edit -> Preferences -> Capture
Next Slide

Edit -> Preferences -> Capture -> Interfaces

TCP/IP Task Offload in NDIS 5/Windows
From: http://www.microsoft.com/hwdev/tech/network/taskoffload.asp
 Network adapters with appropriate NDIS 5 (and later) miniport drivers can increase
the system performance by supporting hardware offload of Transmission Control
Protocol/Internet Protocol (TCP/IP) CPU-intensive tasks.
 For example, with TCP/IP checksum offload alone, up to 30 percent performance gain
in CPU utilization has been seen in testing at Microsoft. The NDIS interface and the
TCP/IP transport have been enhanced to allow miniport drivers to indicate hardware
support for performing:
• TCP/IP checksum calculation.
• TCP/IP segmentation.
• Internet Protocol Security (IPSec) Encryption Ciphers and Message Digests.

TCP/IP Offload
 On the send side, the network adapter that supports this offload will calculate
checksums that are needed and for which it has indicated the capability of
performing. For the TCP checksum, the Microsoft transport will calculate the TCP
pseudo header checksum and place this value in the checksum field, so that the
network adapter can calculate the correct TCP checksum without touching the IP
header.
 If for any reason the network adapter cannot perform the checksum, it will not set
any bits and indicate the packet. TCP/IP will then look at this and calculate the
appropriate checksum itself.

Flow and CRC’s
Application
TCP/UDP
IP
MAC
Physical
HTTP (CRC)
TCP (NO CRC)
IP (NO CRC)
MAC (CRC)
Physical
Wireshark
will not see
a valid
CRC since
the CARD
is
calculating
it
Wireshark
will see a
valid CRC
since it
was
calculated
correctly
already

Conclusion
 If you are capturing other device’s traffic, this is not an issue
 If you are capturing from your adapter, you have 2 choices;
• Leave the TCP checksum validation disabled (default)
• Reconfigure your computer to disable TCP, IP and UDP checksum offloading
17

Capture Options or Ctrl + K
Worth experimenting
with if you find you are
dropping packets

Capture Filter Reference
Command Description
ether host MAC address Capture all packets to and from a MAC address
IP Filters
host ip address Capture all packets to and from an ip address
src host ip address Capture all packets from an ip address
dst host ip address Capture all packets to an ip address
TCP/UDP Filters
port port Capture all packets to and from a port number
src port port Capture all packets from a port number
dst port port Capture all packets to a port number
tcp portrange x – y Capture from the following tcp port range
IP Network Filters
net net Capture all packets to and from a net
src net net Capture all packets from a net
dst net net Capture all packets to a net

Capture Filter Examples
Command Description
ether host 00:15:c5:37:40:60 Capture all packets to and from MAC 00:15:c5:37:40:60
IP Filters
host 10.44.10.1 Capture all packets to and from 10.44.10.1
host www.wireshark.org Capture all packets from www.wireshark.org
TCP/UDP Filters
port 80 or port 23 Capture to and from TCP/UDP port number 80 or 23
port http Capture all http packets
IP Network Filters
net 10.44.10 Capture all packets to and from a subnet 10.44.10
!aarp Do not capture arp packets
udp Capture all udp packets
tcp Capture all tcp packets

How to Save Your Capture Automatically

If You Did Not Provide A Filename…
 If you forgot or just did not provide a filename and your Wireshark crashes or
whatever unplanned event, simply refer to the status bar when you capture and go to
the path referenced or check your Folder location under Help and About.
22
 The location of this file is configurable under Help-> About->Folders under the Temp
variable name

 This frame allows you to control when Wireshark will stop capturing.
 This will NOT save to a file.
 If multiple options are checked, the first condition it reaches, will stop the analyzer.
Capture Options – Stop Capture Frame
 In this example, Wireshark will stop when the first criteria is met.
 1,000 packets
 1 MB
 1 minute

Capture Options – Capture File(s) Ring Buffer
Creates files with the following syntax;
 Filename_00001_yearmmddhhmmss
for example 8MB_00001_20061102150628
Capture Files will be in a pcap-ng format
I try to stay with size limits since I
do not know how much data will
be flowing at any given time.
8MB 8MB
In this example, Wireshark will create 2, 8MB files and stop.

Capture Options – Capture File(s) Ring Buffer
Creates files with the following syntax;
 Filename_00001_yearmmddhhmmss
for example 8MB_00001_20061102150628
I try to stay with size limits since I
do not know how much data will
be flowing at any given time.
8MB 8MB
In this example, Wireshark will create 2, 8MB files continuously
and stop when you press the Stop button or press Ctrl + E.

Time and Packet Display Options
To make Multiple selections, use the ‘space bar’

Setting A Time Reference
If you need to calculate time between specific frames, you can set a Time Reference by
right clicking in a packet

Protocol Preferences
 If you use Wireshark often, you may find yourself going back to Edit->Preferences-
>Protocols to adjust your settings.
 A really simple shortcut is to right click on a protocol in the Detail Pane, and select
Protocol Preferences.
 An additional tip is to use your spacebar to select/deselect multiple settings.

Configuration Profiles
 Configuration Profiles can be used to configure and use more than one set of preferences and
configurations.
 Select the Configuration Profiles... menu item from the Edit menu, or simply press Shift-Ctrl-A; and
Wireshark will pop up the Configuration Profiles dialog box. It is also possible to click in the
"Profile" part of the statusbar to popup a menu with available Configuration Profiles
Left Click
Right Click

IO Graphs
Display Filter Format Various Styles

Leveraging I/O Graphs for Yourself
 When using the I/O Graph
press the Copy button to copy
the CSV raw data to your
clipboard.
 Then you can paste the data
directly into Excel, or
whatever application you want
to use
 The Save button will save the
graph as a graphical file (bmp,
jpg, png, etc..)
31

Sample of Excel Chart Using I/O Copy Feature
32

Graphing Options
 Feel free to graph ANY fieldname in your trace.
 In this example I wanted to compare how the application in the top graph was
handling the flow better than the bottom application.
33

Quick Conversation Filter
 Most people will create a TCP conversation via the Statistics -> Converstation->TCP
and right click. You can accomplish the same thing by simply right clicking on a
frame.
Right Click on a Packet

Statistics: Conversation continued
TCP filter is automatically applied.
Filter consists of a pair of IP addresses and TCP port numbers
The results show the conversation in the Summary Screen

Protocol Analysis Tips
 Look for patterns
 Take traces or captures when things work
 Don’t feel like you have to analyze everything you capture
• Get in the habit of taking a specific trace with some simple notes of what it is and
file it away
 When you have a working trace to compare things to, troubleshooting gets a bit
straight forward
 Get in the habit of capturing specific traces such as
• Login
• Bootup
• Application Launch
• Application Query
• Looking for retransmissions
• Calculating throughput
• Determining of data is clear text or not
• Idle baseline (Network or device)
36

TCP 3 Way Handshake Response Time
 Record the TCP response time, or Delta Time
• Ensure you have the proper Time Display option
37
 More accurate than any ping you could have sent

A bit about MTU, MSS and DLY
MSS = Maximum number of Bytes you can put in the TCP Segment
MTU = Maximum number of Bytes you can put in the IP datagram
DLY = Amount of delay in micro seconds
10,100 Mb Ethernet max frame size = 1518 Bytes
1 Gb and higher Ethernet max frame size = 9,000 Bytes
10,100 Mb IP MTU size = 1500 Bytes
10,100 Mb TCP MSS size = 1460 Bytes
DEST, SRC MAC,
14 Bytes
CRC
4 BytesIP MTU Data 1500 Bytes
TCP MSS Data 1460 Bytes

Example of Inefficient TCP MSS
512 MSS
Since this is on a 100 Mb network, the MAX TCP MSS is 1460 Bytes

A Word About Tool Placement
Ensuring the proper tool position can save you countless hours.
Data 1
xData 3
Data 3
1 ms
200 ms
ack 1 ms
Data 21 ms
19 ms
219 ms
1 ms
From this side you can clearly
see the retransmission
From this side it looks like a
slow client or network
with 219 ms delay
Client
Server

Sample Patterns
41
In this case there are a few things are developing into a pattern
2 data packets, then an ACK
20 -21 ms latency
TCP WIN = 16384
Never assume that you will always see the same pattern!!
Patterns will change anytime the following variables change:
• Host location
• Network path
• Network device
• Protocol
• Application
• Time/Date

Another Pattern
 This application seems to set the PSH bit after every 5 data packets
 Trace taken when the clients reports the application is working ‘fine’
42

How to Quickly Add a Column
 If you are constantly looking at something in the Detail Pane, why not add it as a
column.
 Simply right click on the fieldname and select Apply as Column
43

File Comments
 At the bottom, left hand corner you will see an image with a green plus, paper/pencil.
 If you click on it you can make notes about your trace file
 Make sure your are saving the trace file as a pcap-ng format
44
 After you create a comment, the green plus sign is no longer there

Packet Comments
 If you right click on a packet, you can make notes about it.
45
 After you create a comment, you can see which frames have comments by clicking
on Statistics -> Comments Summary or Analyze->Expert Info -> Packet Comments

Packet/Frame Slicing
 The concept of Packet Slicing, is straight forward, you only capture a fraction of the
packet instead of the full size default.
 In most cases, the first 120 Bytes will provide the MAC, IP, TCP/UDP and some
application data.
 Packet Slicing can be used for the following situations:
• Conserve disk space, reduce file sizes, or to speed up trace file processing
• When you have legal or privacy concerns with the data being captured.
 To slice a packet simply double click on the interface and enter the packet slice value.
 You can also use Wireshark’s command line tool, editcap to packet slice an existing
trace file.
46

Packet/Frame Slicing - Example
 In this example I sliced the
Frame to 120 Bytes
 You can see in the Detail
Pane that Wireshark still
knows the original Frame
size and reported the sliced
size as well
47

How To Capture
from the
Windows Command Prompt
with
Wireshark
The Technology Firm

Things to do
1. Add Wireshark to your path
2. Determine which interface index maps to which NIC
3. Determine your capture parameters and location of your trace files
4. Test, check & go back to #2, if things don’t work
5. Final command to capture

 To make your Wireshark applications accessible from any directory, simply add
Wireshark to your Windows path
Add Wireshark to your path
21
3

Tshark command syntax – Part 1
Usage: tshark [options] ...
Capture interface:
-i <interface> name or idx of interface (def: first non-loopback)
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen> packet snapshot length (def: 65535)
-p don't capture in promiscuous mode
-B <buffer size> size of kernel buffer (def: 1MB)
-y <link type> link layer type (def: first appropriate)
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit
Capture stop conditions:
-c <packet count> stop after n packets (def: infinite)
-a <autostop cond.> ... duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
Capture output:
-b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
Input file:
-r <infile> set the filename to read from (no pipes or stdin!)
Processing:
-R <read filter> packet filter in Wireshark display filter syntax
-n disable all name resolutions (def: all enabled)
-N <name resolve flags> enable specific name resolution(s): "mntC"
-d <layer_type>==<selector>,<decode_as_protocol> ...
"Decode As", see the man page for details
Example: tcp.port==8888,http

Tshark command syntax – Part 2
Output:
-w <outfile|-> set the output filename (or '-' for stdout)
-F <output file type> set the output file type, default is libpcap an empty "-F" option will list the file types
-V add output of packet tree (Packet Details)
-S display packets even when writing to a file
-x add output of hex and ASCII dump (Packet Bytes)
-T pdml|ps|psml|text|fields
format of text output (def: text)
-e <field> field to print if -Tfields selected (e.g. tcp.port);
this option can be repeated to print multiple fields
-E<fieldsoption>=<value> set options for output when -Tfields selected:
header=y|n switch headers on and off
separator=/t|/s|<char> select tab, space, printable character as separator
quote=d|s|n select double, single, no quotes for values
-t ad|a|r|d|dd|e output format of time stamps (def: r: rel. to first)
-l flush output after each packet
-q be more quiet on stdout (e.g. when using statistics)
-X <key>:<value> eXtension options, see the man page for details
-z <statistics> various statistics, see the man page for details
Miscellaneous:
-h display this help and exit
-v display version info and exit
-o <name>:<value> ... override preference setting

Determine which interface index maps to which NIC
 From the command prompt type;
• Tshark -D
 In this example I’ll use my wireless card or index number 2

Test
 From the command prompt I will type the following, and should see some output
• Tshark –i 2

Command to capture 1 MB of data
 Now that I know everything works, I want to do the following;
• -i 2 ;captures from my wireless
• -p ;captures in non promiscuous mode
• -a filesize:1000 ;captures 1 MB
• -w 1MBcapture.pcap ; names the file
 As you capture, you will see the packet counter increase
 In this capture, I checked the file size to make sure it is 1 MB

Command to Capture with a ip filter
 Tshark –i 4 –p host 10.44.10.1
• -i 4 –p is specifically for my wireless interface
• host 10.44.10.1 is the target of my capture filter
 To capture a 1MB trace to file; 1MB.pcap
• tshark -a filesize:1024 -w 1MB.pcap -f "host 131.137.70.173“
o -a filesize:1024 specifies a 1 MB trace file
o -w 1MB.pcap identifies the file name
o -f "host 131.137.70.173“ uses an ip filter

Command to Capture with a 100 Byte packet slice
 Tshark –i 4 –p host 10.44.10.1 –s 100
• -i 4 –p is specifically for my wireless interface
• host 10.44.10.1 is the target of my capture filter
• Only capture the first 100 Bytes

Wireshark
Tips and Tricks
Thanks for watching
Tony Fortunato,
Sr Network Performance Specialist

2015 08 15 LMTV Wireshark tips and tricks

Recomendados

Recomendados

Mais conteúdo relacionado

Destaque

Destaque (16)

Último

Último (20)

2015 08 15 LMTV Wireshark tips and tricks