There have been a few Qwikipedia articles that address network performance and troubleshooting. I’d like to share a close look at Wireshark and how it can be used to track down issues such as packet reordering and packet loss.
Formerly known as Ethereal, Wireshark captures packets in real time and displays them in human-readable format. It includes filters, color-coding, and other features that let you dig deep into network traffic and inspect individual packets.
This article will get you up to speed with the basics of capturing packets, filtering them, and inspecting them. You can use Wireshark to inspect a suspicious program’s network traffic, analyze the traffic flow on a network, or troubleshoot network problems.
In particular, there are two ways I’d like to discuss how to use Wireshark:
- Directly from a customer’s Windows media server, using the Wireshark software to capture data in real time.
- Capturing packets on the DXi to evaluate with Wireshark at a later time.
Just a quick warning: Many organizations don’t allow Wireshark and similar tools on their networks. Before using Wireshark on a customer network, always ask, and receive permission to, use this program.
This article covers the following main topics:
You can download Wireshark for Windows or Mac OS X, and the associated documentation, from its official website. If you’re using Linux or another UNIX-like system, you’ll probably find Wireshark in its package repositories.
When you start Wireshark, you’ll see a screen like this:
Wireshark’s ability to capture, filter, and inspect packets makes it an excellent network analysis tool. We’ll examine each of these features one at a time.
The Interface List area of the opening screen (see above) shows the available interfaces to capture packets from. To start capturing packets on an interface, click on that interface. For example, if you want to capture traffic on the wireless network, click the wireless interface. You can configure advanced features by clicking Capture Options, but this isn’t necessary for now.
As soon as you click an interface’s name, you’ll see packets as they appear, in real time. Wireshark captures each packet sent to or from your system. If you’re capturing on a wireless interface and have promiscuous mode enabled in your capture options, you’ll also see other the other packets on the network.
In the following image, we’re seeing packets on the first interface listed in the image above, the NVIDIA nforce MCDP Network Analyzing Driver.
To stop capturing traffic, click the stop capture button near the top left corner of the window:
Color Coding
You’ll probably see packets highlighted in green, blue and black. Wireshark uses colors to help you identify the types of traffic at a glance, as shown below.
By default:
- Green is TCP traffic
- Dark blue is DNS traffic
- Light blue is UDP traffic
- Black identifies TCP packets with problems — for example, they could have been delivered out-of-order.
Sample Captures
If there’s nothing interesting on your own network to inspect, Wireshark’s wiki has you covered. The wiki contains a page of sample capture files that you can load and inspect.
Opening a capture file is easy; just click Open on the main screen (shown below) and browse for a file. You can also save your own captures in Wireshark and open them later.
If you’re trying to inspect something specific, such as the traffic a program sends when phoning home, it helps to close down all other applications using the network, so you can narrow down the traffic. Still, you’ll likely have a large amount of packets to sift through. That’s where Wireshark’s filters come in.
The most basic way to apply a filter is by typing it into the filter box at the top of the window shown below, and clicking Apply (or pressing Enter). For example, type “dns” and you’ll see only DNS packets. When you start typing, Wireshark will help you autocomplete your filter.
You can also create a new filter by clicking Analyze in the main menu (shown above) and then clicking Display Filters:
Another interesting thing you can do is right-click a type of packet and select Follow TCP Stream. In the following image, we’ve chosen Hypertext Transfer Protocol.
You’ll see the full conversation between the client and the server:
When you close this window, you see that a filter has been applied automatically — Wireshark is showing you the packets that make up the conversation.
To inspect a packet, first select it, as shown below for Frame 2207. You can then dig down to view its details.
You can also create filters from here — just right-click one of the details shown, then use the Apply as Filter submenu to create a filter based on it.
Wireshark is an extremely powerful tool, and this article just scratches the surface of what you can do with it. It is widely used to debug network protocol implementations, examine security problems, and inspect network protocol internals.
To gather network traffic on DXi ports or bonds, you can use TCPdump. The best resource on how to use TCPdump is probably the man pages in Linux (the DXi). Information is also available at the following URLs:
Quantum
