SPAN Port or TAP? (by Betty DuBois)
Gerald Combs @ Sharkfest 2009

Show Notes from Sharkfest 2009 (by Joke Snelders)

Joke_sneldersAuthor Profile - My name is Joke (pronounced \yō-kə\ or Joan for those who do not speak Dutch). During the day, I work as a secretary for a non-profit organization providing assisted living for mentally handicapped people in the south of The Netherlands. In my spare time I like to use Wireshark. I find it interesting and necessary to monitor my home network to see what is going on. As a user I like to answer questions at the Wireshark Mailing List.

What is in it for me? Well, I learn a great deal whenever I try to solve real-world problems. I am also a member of the NGN (the Dutch Network User's Group). I write articles about how to use Wireshark and the command line tools. And if there is still some spare time left, I like to go biking in the woods near my hometown with my husband and fellow geek.

Flickr Photo Stream - Stanford University

Hey guys, where were you? Sharkfest was great!

From June 15 till June 18 the second annual Sharkfest was held at Stanford University in California. The beautiful campus itself is worth visiting: try to find some time to visit the Rodin Sculpture Garden or walk down The Oval Park and Palm Drive toward downtown Palo Alto.

Sharkfest started on Monday with registration. The attendees received the original Sharkfest bag, an AirPcap Classic Adapter, conference materials and other cool takeaways.

During the well organized Welcome Barbeque in Dohrmann Grove we met the coordinating crew, presenters and other attendees, including Long Distance Travellers from Israel, Germany, Canada, Maleysia, Indonesia and The Netherlands.

During these days we had to get up early. The conference started daily at 7.00 AM with breakfast and a keynote. The sessions started at 9.00 AM. You could choose to attend Development, Basic User or Advanced User tracks.


Well, let me tell you about some of the highlights.

Release of Wireshark 1.2.0.

On June 16 Gerald Combs announced the release of Wireshark version 1.2.0.

The new start page looks great.

It gives e.g. an overview of available capture interfaces, recent used capture files and various help files. By clicking one of the interfaces you can start capturing immediately.

The auto-complete functionality for display filters works fine. It's very helpful, if you are not sure about the right syntax.

Wireshark supports MaxMind's GeoIP library. You can use their databases to match IP addresses to countries, city's and other bits of information. The information about all known IP address locations can be displayed on a map.

Len Shustek

Len Shustek, Chairman of the Board of Trustees, Computer History Museum, presented the first keynote:

A Romp Through the History of Computing Technology: the Computer History Museum Perspective.

Len Shustek gave a nice overview of the development of "computers" over the last 150 years. Charles Babbage designed the first automatic computing engines, but failed to build them.

Difference Engine No. 2, has been built to the original drawings and is on display at the Computer History Museum.


Sake Blok

Sake Blok works as a Research & Development Engineer for ion-ip in The Netherlands.

He and his colleagues are heavy users of Wireshark. Sake is a member of the Wireshark Core Development Team.

In his session Sake taught us about "SSL Troubleshooting with Wireshark and Tshark"

SSL plays an important role in ensuring confidentiallity, integrity and authentication of communication over a public network.

Sake started with an overview of cryptology and the SSL protocol. Next he shows us how to use Wireshark and TShark to analyze the different handshake messages, troubleshoot common problems in the SSL session setup and succesfully decrypt SSL traffic for further analysis of the data.

Click here to watch the recording of this session.

If you like to receive the trace files AND the keys Sake used during his session, you can send him an email.


Hansang Bae

"Think like a packet"

Hansang Bae currently leads the Network/Application Performance Team for Citi. His roles and responsibilities include: certifying network analyzers for Citi, performing application profiling, proving network simulation studies and assisting network operations/engineering with troubleshooting. He brings a unique perspective due to his experience with server and network design as well as his broad knowledge of protocol analysis in a complex enterprise infrastructure.

Click here to download Hansang's presentation for handling Complex Trace File Analysis.

Hansang told us about his approach to complex trace file analysis. He also showed effective methods to get to the information needed.

His advice:

- scroll through a trace to look for patterns
- develop a technique; create a list of common display filters to run through when troubleshooting
- use the graphical tools available in Wirehark, e.g. IO Graphs

Hansang encouraged the attendees to interact.

Sean Walberg

Sean Walberg is a network engineer from Winnipeg, Canada. He has also written about VoIP topics for Linux Journal and O'Reilly.

The topic of his presentation was: "Expose VoIP Problems With Wireshark".

As opposed to traditional telephone traffic VoIP sessions consists of 2 parts:

- signaling traffic: establishes a connection and tears it down, when it's done
- voice traffic: rtp-stream, can be played back by Wireshark (Statistics -> VoIP Calls).

Jitter, Delay en Packet Loss affect the quality of the call. It is difficult to have a conversation with too large delays or bad echo's.

When you start troubleshooting VoIP sessions, you must realize that the signaling traffic takes a different path then the voice traffic. So you have to be in the right spot to capture it all.

Click here to watch the recording of this session.

Rolf Leutert

Rolf Leutert is the founder of Leutert NetServices.

The company provides network training, network troubleshooting and consulting.
If there are enough attendees the Wireshark training courses are also provided on-site.
Rolf is a Certified Network Expert (CNX) and has also attained the Sniffer Certified Master status.

Rolf gave a clear explanation about the use of the AirPcap adapter. Preferably you use 3 adapters at the same time to capture on all channels (that is channel 1, 6 and 11).

You can use his presentation as a work of reference, so go and get it here.

You wil learn how to customize Wireshark by creating your own Custom Columns and Coloring Rules. Those are very helpful by interpreting trace files from WLAN's.


Betty DuBois

"You can have it all, but you can’t have it all at once!!"

Betty DuBois has over 10 years of experience as consultant and instructor in protocol analysis. She is also an instructor at the Wireshark University. Betty is a Sniffer Certified Expert (SCE), Certified Novell Instructor, Novell's CNE and Certified Network Expert (CNX).

She is an expert and it was fascinating to attend her session: "SPAN/Mirror/Monitor vs. Taps: When should I use what, and why should I care?".

She discusses the pros and cons of using SPANning/Mirroring/Monitoring (S/M/M) and TAP's (Test Access Ports).

When you use S/M/M, you sometimes get to much packets (multiple copies of the same packet by spanning a VLAN) and sometimes you get less packets (the switch eliminates corrupt packets or packets below a minimum size).

On the other hand using TAP's needs extra investment. You have to use 2 TAP's or an aggregation TAP to capture traffic in both directions. If the environment is redundant and load balanced, multiple TAP's will be required.

Betty's advice:
- use a TAP, when possible
- use port SPANning/Mirroring/Monitoring, when necessary.

Her presentation can be downloaded here and her video can be watched here.

To everybody who was NOT at Sharkfest, you can download the presentations here or watch videos of some of the sessions here.

But... you can not download the atmosphere and the nice talks with the other attendees, so be there next year ;-)

Thanks to Janice Spampinato and her crew.

Sharkfest '09 was perfect: excellent speakers, a gorgeous environment and... they took good care of you and served marvelous breakfasts and lunches.

See you next year (I hope).

Continue reading other exclusive posts by Joke Snelders »