52 posts categorized "Wireshark" Feed

Are My Packets Lying? – Four Things To Look For In Packet Traces (by Chris Greer)

Blog-Are my Packets Lying

Packets don’t lie – well, most of the time.

Packets will tell you the truth unless they have been captured incorrectly. In those cases, packets can tell bold-faced lies.

When digging through trace files, we can come upon symptoms in the packets that may raise an eyebrow. These are events that look strange on the surface and may even divert our troubleshooting focus for a time. In fact, some of these issues have misdirected engineers for hours, if not days, causing them to chase down issues and events that simply did not exist on the wire.

Most of these examples can be avoided simply by capturing the packets from a tap rather than on the machine generating the traffic. Come on, you know you have needed a tap for a while! Just spring for one and capture correctly next time. By the way, when you do make that decision, check out our buddies at Garland Technology. They make great stuff and they are nice people too!

  1. Very large packets

Continue reading "Are My Packets Lying? – Four Things To Look For In Packet Traces (by Chris Greer)" »

Troubleshooting with Wireshark - Remove Unrelated Protocols (by Chris Greer)

Sometimes packet digging can get tedious. We've all been there. 

It can be hard to set the right filter that lets us hone in on the root cause. In many cases, it is just as helpful to remove protocols from view that are not probably not related to the problem. At least that will give us less to dig through. I call that removing "packet static". 

In this video, we will look at how to create a button in Wireshark that will remove common protocols or conversations that will simplify the trace. 


Hope this helps when packet digging! 

Continue reading "Troubleshooting with Wireshark - Remove Unrelated Protocols (by Chris Greer)" »

Give me PACKETS!! (by Mike Canney)

Give me Packets!

I have been troubleshooting “network” problems for over two decades.  From mom and pop small businesses to Fortune 10.  Literally thousands of companies.  As far as tools go, I’ve used just about all of them.  From the Network General Sniffer, Novell LanAlyzer, Optimal’s Application Expert/Vantage, Compuware Ecoscope, Cinco NetXray to Wireshark and back.  

You would be hard pressed to find something that is somewhat mainstream that analyzes packets that I haven't used to find and solve network and application issues. Flower issueI’ve have also used the majority of the popular APM/NPM tools on the market for monitoring Network and Application Performance (I won’t list them).  The one thing in common is that they’ve all been useful in their own right.  Understanding at a high level of what traffic is on the network and an inclining of ‘potential’ application performance issues. 


Continue reading "Give me PACKETS!! (by Mike Canney)" »

Wireshark Edit Name Resolution (by Tony Fortunato)

When using any protocol analyzer you might want to change the ip addresses to something more meaningful like; client, server or server name. Replacing an address with a name is also a good technique to mask public ip addresses or when using screen captures in your report or emails.

In this video I walk you through how to edit the name and one step that most people miss to get this to work.



Continue reading other LoveMyTool posts by Tony Fortunato »

Wireshark IO Graph Issue and Work Around (by Tony Fortunato)

If you don’t use Wireshark on a regular basis, you might not notice when things change. I used the word change to explain those scenarios when things don’t work as they did in previous versions.

I checked the release notes and did not see anything that mentions this issue, or maybe there is a new way to do it and I haven’t figured it out as of yet.

In this case Wireshark’s IO Graph feature isn’t working as it once did.  I used the Legacy version of Wireshark as a work around and suspect if it’s a bug that will be addressed soon.




Continue reading other LoveMyTool posts by Tony Fortunato »

Wireshark – Where to start? (by Tony Fortunato)

I’ve been asked to share more tips and tricks on my packet analysis methodology, so here you go.

“What do you do, or where do you start when you get a trace file?”, Samantha D

Not to sound like a consultant but it depends what you are looking for and how you configured your protocol analyzer for your capture (slicing, filters, etc).

Let’s take the worst case scenario (that is more common than I would like to admit). I receive a trace file that was captured without a capture filter with no documentation outlining the device MAC or IP address.  Capturing without a capture filter is a fairly standard practice so you don’t miss anything but later you are faced with a lot of packets to work with.  All I know is that they said they wanted to take my advice and perform a ‘boot up baseline' on an ATA.

I always recommend that you start with a ‘clean slate’ with respect to your protocol analyzer. For example, disable your packet details and Packet Bytes (if possible), turn off any coloring rules and any other items that might distract you.  The goal is to see as much of your packets as possible. With a ‘clean slate’ you might also spot other things in addition to the original request.

Continue reading "Wireshark – Where to start? (by Tony Fortunato)" »