070801 wireshark ethereal

8/6/2019 070801 WireShark Ethereal

1/32

2007 www.analysissolution.com

WireShark Training

Ray Tompkins, Analysis [email protected]
http://www.analysissolution.com/mailto:[email protected]:[email protected]://www.analysissolution.com/


2/32


Brought to You By: Analysis Solution

Onsite Network Analysis and Services

Analysis Solution provides network analysis and service. Our skills with network

protocols, LAN, WAN, Wireless environments and applications allow us todiagnose and define the problem, then apply the corrective action. During thisprocess our goal is to mentor your staff with the information that we gatheredand understanding the skill of "How We Obtained The Results".

Network Analysis Training

Training class providing a detail view of protocols, in how they flow through the

network. You will never look at packets the same again. This fascinating viewthrough an analyzer reveals "How Things Really Area" revealing what mysterieslie hidden on the wire. Key concepts, from actual measurements of through putand performance, to knowing if devices in the network are dropping packets,gives precise information before making the call "Houston We Have A Problem".

The goal of the course is to empower the analyst, with advanced troubleshootingtechniques. These techniques are advanced in nature but taught so they can be

processed for use is diagnosing the problems. The attendees will walk away withthe confidence that "I can solve this problem, let me at it".

For more information contact: Ray Tompkins,

[email protected]

Phone 832 643 5871
http://www.analysissolution.com/mailto:[email protected]:[email protected]://www.analysissolution.com/


3/32


Capture Interface
http://www.analysissolution.com/http://www.analysissolution.com/


4/32


Capture Interface

If you want to capture data frames with your wireless card, or ifyou do not see the Packets counter increment, Go toyour options and uncheck the Capture packets inpromiscuousmode


5/32


Notes From The Field

We have complied a list of filters, organized them by type. They can be download fromour web site.

Capture Filters Sources:

Go to http://www.analysissolution.com Tech Notes WireShark

You will find instructions and other helps tips for WireShark

Note of Interest Update June 2007

As of Release of WireShark 99.6 the Capture Filter file cfilter was moved within the application

to c:/programs/wireshark/cfilter

If you have comments or suggestions or wish to share a filter please email [email protected]

Ray Tompkins

www.analysissolution.com
http://www.analysissolution.com/http://www.analysissolution.com/mailto:[email protected]://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/mailto:[email protected]:[email protected]:[email protected]://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/


6/32


Capture Filter Reference

Command Description

ether host MAC address Capture all packets to and from a MAC address

IP Filters

host ip address Capture all packets to and from an ip address

src host ip address Capture all packets from an ip address

dst host ip address Capture all packets to an ip address

TCP/UDP Filters

port port Capture all packets to and from a port number

src port port Capture all packets from a port number

dst port port Capture all packets to a port number

IP Network Filters

net net Capture all packets to and from a net

src net net Capture all packets from a net

dst net net Capture all packets to a net


7/32


Capture Filter Examples

Capture only DNS frames

port 53

Capture HTTP and DNS frames port 80 or port 53

Capture all IP traffic

ip


8/32


Capture Options Stop Capture Frame

This frame allows you to control when WireShark will stop capturing.

This will not save to a file.

If multiple options are checked, the first condition it reaches, will stop the analyzer.

Filtersare contained in this file

C:\Documents and .\Application Data\WireShark\cfilters

** If you choose to create your own cfilters file, remember to

leave the last line in this fileblank.


9/32


Capture Capture Filters

This screen allows you to Add or Delete Capture filters

Make the Filter name and Fil ter string the same to avoid confusion

2

1

Filtersare contained in this file

C:\Documentsand .\Application Data\WireShark\cfilters

** Remember to leave the last line in this file blank..


10/32


Edit -> Preferences -> Columns

This screen allows you to add or move

columns around.

For consistency, I always recommend youname your columns the same as the

descriptions noted in the pull down

menu.


11/32


WireShark Screen Layout

Filename Of Current Trace File


12/32


Sorting Columns

Output is Sorted By Frame No By Default

Click Info Header


13/32


Neat Feature Drag and Drop

You can now drag and drop a file from Windows Explorer directly into WireShark.


14/32


Conversation List

You can now see a list of all the TCP, IP or MAC addresses.

You leave this screen up while capturing to see this in real time.


15/32


Resize Column


16/32


Statistics: Neat Feature Conversation List

You can now see a list of all the TCP, IP or MAC addresses.


17/32


Statistics: Flow Graph


18/32


Statistics: Conversation


19/32


Statistics: Conversation continued


20/32


Analyze: Expert Info

Expert information shows a summary of Errors, Warning.


21/32


Analyze: Display Filters

Display filters can be applied from the previous list or create new filters.


22/32


Analyze: Follow TCP Stream

Follow TCP streams can be between IP address or entire conversation

Traffic from A to B is marked in Red and from B to A is marked in Blue


23/32


Analyze: Expert Info Composite

Expert information composite not only displays errors, warnings, notes and Chats

By clicking the Packets number allows you to jump to the packet within the trace.


24/32


Case Study: Please Open The Window

This case study a nightly server backup is not being completed in the allowed time. Aproduction server for an major oil company that contains seismic data for oilresearch. Important information that needs to be backup. This information is theimportant asset of company. It is also a very large amount of data.

Configuration: Production server connects to a Gigabit Ethernet connection. Itconnects to a Cisco router 6509, and on the same blade another Gigabit Ethernetconnection to the backup server.

Each part of the team, server, application and network personnel have work hard todetermine what could be the problem. The application logs have been reviewed, theserver team has review both logs for each sever. Also the network team has lookedat each interface for errors, searched through the router logs, but all have foundnothing that identifies the problem.

At the request of Analysis Solution a trace was taken. The following indicates theresults.


25/32


Case Study: Please Open the Window

Analysis: The receiving server was chocking on the data, unable to get the

information written to the disk drive.

Solution: Higher speed disk drives where installed. This increased the performanceof the Back Up server allowing it to keep up with the network and Production server.

See the following trace file and also the graphs that show the Window Size being

advertised by the Back Up server.


26/32


Case Study: Please Open the Window

Figure 1:1 Trace File Results (good through put with large packets size), we seegood through put, with su window size, item B.

Figure 1:2 Trace File Results (window size has changed to Zero)

In packet 377, item C the source IP address, item D is sending a window size ofZero, see item E.


27/32


Case Study: Please Open the Window Window Size

0

1000

2000

3000

4000

5000

6000

7000

8000

9000

10000

4:01:17PM

4:01:30PM

4:01:55PM

4:02:05PM

4:02:16PM

4:02:28PM

4:02:38PM

4:02:48PM

4:02:54PM

4:03:02PM

4:03:09PM

4:03:16PM

4:03:30PM

4:03:54PM

4:04:12PM

4:04:29PM

4:04:44PM

4:05:01PM
http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/


28/32


Case Study: Please Open the Window Disk Drive Upgraded

0

1,000

2,000

3,000

4,000

5,000

6,000

7,000

8,000

9,000

10,000

2:51:50

2:51:51

2:51:52

2:51:52

2:51:53

2:51:53

2:51:54

2:51:54

2:51:55

2:51:55

2:51:56

2:51:56

2:51:57

2:51:57

2:51:58

2:51:58

2:51:59

2:51:59
http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/


29/32


Question and Answer: Simulation Traffic Tools

Question: What tools are available for generating traffic to simulate traffic or data throughput?

Answer: One tool that is free is IPERF. It loads on each end, source and destination.This could be PC to PC, or Server to PC, and then you run the through put benchmarks. I use it in classes that I teach where we run several bench mark tests. Herewhere to find the tool and notes on how to use it.


30/32


Question and Answer: Performance Tools cont.

IPERF (free) Very handy FREE throughput tester. Using it is quick and easy;

Simply download IPERF http://dast.nlanr.net/Projects/Iperf/

Unzip into a folder on two pc's

Go to one PC and type iperf -s at the command prompt. This is a server

Go to the other PC and type iperf -c server_ipaddress

Other examples;

to run the iperf utility as a server service by typingiperf -s -D

to conduct an upload typeiperf -c server_ipaddress

to conduct a separate upload and download typeiperf -c server_ipaddress -r

to conduct a simultaneously upload and download typeiperf -c server_ipaddress -p

Chariot from IXIA

http://www.ixiacom.com/products/display.php?skey=ixchariot

SmartBits

http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2
http://www.analysissolution.com/http://dast.nlanr.net/Projects/Iperf/http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://www.spirentcom.com/analysis/technology.cfm?media=7&WS=325&SS=110&wt=2http://dast.nlanr.net/Projects/Iperf/http://dast.nlanr.net/Projects/Iperf/http://dast.nlanr.net/Projects/Iperf/http://dast.nlanr.net/Projects/Iperf/http://dast.nlanr.net/Projects/Iperf/http://dast.nlanr.net/Projects/Iperf/http://dast.nlanr.net/Projects/Iperf/http://www.analysissolution.com/


31/32


Question and Answer: Case Studies

Question: Can you recommend where to get case studies?

Answer: There are several books that contain case studies. I have listed them below foryour reference. Also visit my web site www.analysissolution.com Im in the processof adding PCast. They are 10 minutes in length and cover various topics, all focusedon Protocol Analysis.

Network Analysis and Troubleshooting

J. Scott HaugdahlISBN 0-201-43319-2

Optimizing Network TrafficMicrosoft PressISBN:: 073560648X
http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/http://www.analysissolution.com/


32/32

2007 www analysissolution com

Question and Answer:

Question: What type of triggers are available for WireShark-Ethereal?

Answer: WireShark-Ethereal states that the only triggers are to Stop under the flowingconditions and to Restart.

Stop Capture:

Stop the capture on different triggers like: amount of captured data, captured time, captured

number of packets.

Restart a Running Capture:

A running capture session can be restarted with the same capture options than the last time, this

will remove all packets previously captured. This can be useful, if some uninteresting packets are

captured and there's no need to keep them.

Restart is a convenience function and equivalent to a capture stop following by an immediate

capture start. A restart can be triggers in one of the following ways:

Using the menu item "Capture/ Restart".

Using the toolbar item "Restart".

Further Notes:

You can reduce the amount of traffic captures by using capture filters.

You can also capturing into multiple files while doing a long term capture, and in addition the

option to form a ring buffer of these files, keeping only the last x files, useful for a "very long term"

capture.