Author Profile - Ray Tompkins is the Founder and CEO of Gearbit. Ray is a Senior Network Specialist with over 28 years experience in troubleshooting, design, and implementation. His background includes 911 emergency consulting, and identifying the root cause of critical network problems. His knowledge of network protocols (LAN, VoIP, WAN and WLAN) and how they work within the enterprise networks are the key in providing customer service though knowledge transfer and education.
This month we will discuss the importance of filtering.
When conducting packet analysis, one of the most important tricks of the trade is filtering. The ability to either filter network traffic as you gather data or weed through a trace can save time and effort when analyzing a problem or proving the results.
My tool of choice is Wireshark. It uses two different types of filters, one for capture and the other for displaying data after you’ve captured the packets. Wireshark uses WinPcap, which provides link-layer network access, allowing all network packets to be filtered by the tool. This is done by bypassing the protocol stack which gives access to all the network traffic. It’s commonly used for many open source and commercial network tools. Gearbox’s deep packet capture engine appliance uses libpcap, a Linux version, to capture and filter packets due to its speed and efficiency.
One of the quickest ways to apply filters is to identify a packet and open up the detailed view of the packet (see Figure 1:1). After finding what you want to filter, right click and select Prepare a Filter>Selected. Then apply the newly desired filter now shown in the filter syntax box.
You can also use the display filters like capture filters (see Figure 1:2). First make sure the Update list of packets in real time option is selected. You’ll find it under Edit, select Preferences. Select the Capture option within the panel and look for Update list of packets in real time option.
For example, if you want to see what web sites people are viewing, select Domain Name System and you will see a DNS filter showing real time DNS packets.
When monitoring TCP transactions, look for the SYN and the SYN ACK responses. These responses measure the DELTA TIME from the SYN request to the response SYN ACK, giving you an accurate roundtrip time measurement.
Using tcp.options.mss_val returns all packets that replied to a SYN request, allowing you to view the MSS. You want this to be as large as possible. The maximum should be close to 1460 charters, which allows for maximum payload.
Another useful item to look for is the TCP Zero Window. When a server or load balancer is busy, it will send back a Zero Window. It shows when a device is too busy to receive a data packet. This can be done with tcp.analysis.zero_window filter.
To learn more about Zero Window go to gearbit’s OSTU - Identifying Zero Window with Wireshark
For more technical tips on filters and filter resources see http://www.gearbit .com/tech.shtml
Watch for next month’s Under the Hood article “Wireshark Capture Filters Part 2.”
Gearbit is a group of talented and experienced network experts providing tools and resources. As network analysts, we’re use to seeing capture filters in this format. So we gathered a list of Wireshark capture filters and organized them the way we like to view them. Visit the gearbit web site and download your own copy and add them to your Wireshark analyzer. You’ll be glad you did.
Wireshark capture Filters at gearbit http://www.gearbit .com/tech.shtml#wireshark
Sign up for the gearbit monthly newsletter. You won't be disappointed.
Continue reading other LoveMyTool posts by Ray Tompkins »
Recent Comments