91 posts categorized "Chris Greer" Feed

Lessons from Sharkfest US 2017 (by Chris Greer)

Sharkfest 2017

Sharkfest turned 10!

Last month, hundreds of Wireshark users, developers, and trainers came together for the 10th annual Sharkfest conference at Carnegie Mellon University in Pittsburgh. Packet-heads from all over the globe could mix and mingle with the likes of Gerald Combs, Laura Chappell, Jasper Bongertz, and Hansang Bae, just to name a few.

For me, Sharkfest is always a highlight of the year. Where else can you ditch the trade-show marketing super-hype and just get down to the wire with the world’s best packet analysts? Network engineers should definitely put this event on their bucket lists, no matter what their experience level with Wireshark and packet analysis.

In recent years, the fine folks who host Sharkfest have approved of having the sessions recorded, making them available on demand. If you have not yet done so, stop by the Sharkfest retrospective page to check out some of the sessions – sharkfest.wireshark.org/sf17

Suggested sessions:

  1. Hansang Bae always does a great job of showing real-world scenarios of how to packet dig. In his session he goes into some case studies of rare packet-level issues that engineers face today. His session video is not yet on the page but I’m sure it soon will be.
  2. Kary Rogers from Packetbomb did a practical session on Understanding Throughput and TCP Windows. Be sure to check that one out – recording available.
  3. Betty DuBois did a very nice session for newbies entitled “Rookie to Vet in 75 minutes”. Although the session recording is not yet available, she did an awesome job on her presentation – definitely check it out!

My notes:

Continue reading "Lessons from Sharkfest US 2017 (by Chris Greer)" »


Are My Packets Lying? – Four Things To Look For In Packet Traces (by Chris Greer)

Blog-Are my Packets Lying

Packets don’t lie – well, most of the time.

Packets will tell you the truth unless they have been captured incorrectly. In those cases, packets can tell bold-faced lies.

When digging through trace files, we can come upon symptoms in the packets that may raise an eyebrow. These are events that look strange on the surface and may even divert our troubleshooting focus for a time. In fact, some of these issues have misdirected engineers for hours, if not days, causing them to chase down issues and events that simply did not exist on the wire.

Most of these examples can be avoided simply by capturing the packets from a tap rather than on the machine generating the traffic. Come on, you know you have needed a tap for a while! Just spring for one and capture correctly next time. By the way, when you do make that decision, check out our buddies at Garland Technology. They make great stuff and they are nice people too!

  1. Very large packets

Continue reading "Are My Packets Lying? – Four Things To Look For In Packet Traces (by Chris Greer)" »


Troubleshooting with Wireshark - Remove Unrelated Protocols (by Chris Greer)

Sometimes packet digging can get tedious. We've all been there. 

It can be hard to set the right filter that lets us hone in on the root cause. In many cases, it is just as helpful to remove protocols from view that are not probably not related to the problem. At least that will give us less to dig through. I call that removing "packet static". 

In this video, we will look at how to create a button in Wireshark that will remove common protocols or conversations that will simplify the trace. 

 

Hope this helps when packet digging! 

Continue reading "Troubleshooting with Wireshark - Remove Unrelated Protocols (by Chris Greer)" »


Got NetFlow and Metadata – Why do I need packets? (by Chris Greer)

It’s all about time.

Alarm-2165710_640

When it comes to network monitoring, NetFlow and Metadata-based tools allow engineers to get a handle on traffic usage, statistics, capacity, and even security attacks. They quickly help us visualize the conversations and applications involved in congestion, as well as hone in on strange traffic behavior. It would be difficult (and overkill at times) to use packet data to show the same traffic statistics.

So then, why are packets necessary for analysis and monitoring?

In most cases, NetFlow and Metadata do not show us packet timing, which is critical when isolating the root cause of performance issues, and some security issues. To better understand why, let’s look at how NetFlow works.

NetFlow 101

Continue reading "Got NetFlow and Metadata – Why do I need packets? (by Chris Greer)" »


Troubleshooting with Wireshark - Find Delays in TCP Conversations (by Chris Greer)

The delta time column has always been one of the first things to add when configuring Wireshark. It shows the time between displayed packets, or captured packets, depending on how you set it up. It makes finding delays in conversations much easier to do - that is unless you are dealing with a trace file that has several TCP conversations in tandem. It may be that the time between packets looks good, but that is because the previous packet is a part of a different conversation from the one you are analyzing. 

In this video we will look at how to use the TCP Timestamp information in the TCP header (added by Wireshark) to find delays in conversations, even when multiple connections are overlapping each other. 

This can help us to quickly identify where the hold-ups are in conversations, getting to root cause faster. 

Hope this helps when troubleshooting!