When ip.src gives you more than you expected with Wireshark (by Tony Fortunato)
LMTV Wireshark 2.0 | Panel Discussion with Gerald Combs and the Gang

Baselining Cisco's Traceroute and Ping with Wireshark 2.0 (by Tony Fortunato)


This video is a short one because many baselines should not be a long, drawn out process. In my sessions I teach people how to perform dozens of baselines in less than 2 minutes.

In this example, I was chatting with some analysts as to why pings and traceroutes from their Cisco devices where behaving differently. They were ‘passionately’ discussing various theories when I politely asked if anyone captured any packets to verify what they “thought” or ‘believed’ what the devices were doing. The main point was that if ping and traceroute both used ICMP why where we seeing drastic difference in response times?

I believe that when people start their statements with, “it should” and “I think”, it translates to ‘I don’t know’.  I told them that the same time spent discussing their theories would have provided an answer by capturing some packets. I also enjoy hearing the ‘lets google it response’. There is nothing wrong with searching the web, I encourage you though to find a way to validate whatever information you find. In this case, I found this awesome Cisco document covering ping and traceroute Cisco's Ping and Tracerouter Article

When I say the word, ‘baseline’ I imagine what people must think I mean by that.  They probably envision a 3 inch thick binder of charts, reports and findings that takes days or weeks to complete. Actually a baseline can be something simple, quick and doesn’t require any special equipment.  In this case, we simply logged into the switch and pinged/tracerouted my computer as I captured packets. No mirror ports, taps or maintenance windows required.

This video is a good example of a process used to capture packets, filter the trace and then determine the answer.  I even have some spare time to show you some telnet stuff.

This quick exercises are more about practicing your methodology and getting familiar with your tools rather than quickly answering the question at hand.





Continue reading other LoveMyTool posts by Tony Fortunato »