92 posts categorized "Wireshark" Feed

Troubleshooting a Cloud Problem with Wireshark (by Paul Offord)

The slowly growing interest in Cloud Computing that started ten or so years ago is turning into a stampede.  Most of our customers at Advance7 have strategic plans to migrate many systems to a cloud platform, and many have already started the journey.

Cloud application topology

In fact, we too have migrated all of our systems into AWS and Azure, containerising many of them in the process. But here's a concern we shared with our customers:

"Will we have enough visibility to troubleshoot performance and stability problems once we have migrated our systems?"

It's a good question.  We don't want to discover that the whole environment is opaque, just when we need to troubleshoot a serious problem.  We satisfied ourselves that we could get the data we needed to maintain our systems.  We found that we could get a lot of information from the Application Load Balancers, and we configured continuous packet captures to record traffic between the tiers of our systems.  Just as well as a couple of months ago we hit a performance problem with the TribeLab Community website.

I managed to record the actions of our Performance & Stability Engineers as they used AWS CloudWatch and Wireshark to investigate the problem.  I pulled together screenshots, video clips and other information to produce a short video case study …

Continue reading "Troubleshooting a Cloud Problem with Wireshark (by Paul Offord)" »


Wireshark Quick Tip - Opening Two Traces At Once on Mac OS (by Chris Greer)

Hey packet people!

If you are a Mac user and you need to do a side-by-side analysis of two trace files using Wireshark, this video will show you how. I got this tip from Mr. Gerald Combs himself. Thanks Gerald! 

Just wanted to post this in time for Sharkfest next week. You know, so you can follow along with the instructor while comparing a trace from your environment.

Continue reading "Wireshark Quick Tip - Opening Two Traces At Once on Mac OS (by Chris Greer)" »


Managing Wireshark Packet Comments (by Tony Fortunato)

In my opinion, Wireshark's File and Packet comments are the most under utilized features.

When I work onsite and capture packets, I get a lot of questions ranging from tool use and of course, packet interpretation.

Other than providing some customized onsite training (I no longer offer public training sessions) or mentoring, knowledge transfer is always challenging.

Providing file comments helps document why and where you performed the trace and any other noteworthy points. Notes such as a problem description, if SPAN or TAP are used are incredibly helpful when others look at the trace file.

Packet comments are even more important since you can explain protocol, application behavior and problems within the related packets.

It doesn't matter if the notes are to jog your memory 6 months from now or if you are sending the trace to another department/vendor.  Anyone will find the comments helpful reducing a lot of the typical back and forth involved when you share a trace file.

In this video I cover how to add, find and remove packet comments.

 

 

Continue reading other LoveMyTool posts by Tony Fortunato »


Wireshark Quick Tip - Graphing TCP Zero Windows with tcptrace (by Chris Greer)

There is a handy new feature in Wireshark that just made looking at one of my favorite trace files a little more interesting.

The tcptrace graph has been used by analysts for years to graph the efficiency of data transfers over TCP. It helps us to see sequence number increase over time, the receive TCP window, bytes in flight, retransmissions and acknowledged data. That way if there is a hitch in a download or large transfer, you can quickly spot if the issue and get to digging for root cause.

In the screenshot below we see a tcptrace graph with all the pertinent info.

Tcptrace graph Wireshark

This graph is great. It has been a huge help for years. As you can see above, there is a long pause in the data transfer, and with a few clicks we can start to deep dive.

But until recently, there was one thing missing that is very important to know when analyzing data transfers – zero windows.

Continue reading "Wireshark Quick Tip - Graphing TCP Zero Windows with tcptrace (by Chris Greer)" »


IP Subnet Wireshark Display Filter (by Tony Fortunato)

When asked for advice on how to be a proficient protocol analyst, I give 2 pieces of advice;

  1. Practice looking for patterns. In most cases, you are looking for patterns, or a break in the pattern.  Don’t worry about memorizing the RFC’s or learning about every protocol. It is easier to focus on whatever protocol you are working on at that time.
  2. Learn your display filters in whatever your protocol analyzer you use. The correct display filter will make the patterns jump out at you.

I caution analysts about going capture filter crazy. Unless you know exactly what you are capturing, I typically try to leave the capture filter as ‘open’ as possible. My concern when troubleshooting is that due to the very nature of the unknowns when troubleshooting, you may inadvertently filter out valuable packets.

I great example is you may decide to use a capture filter for a web server ip address when capturing from the client. In this scenario you would miss any packets from the router or other devices along the way if they send the client an ICMP error packet or if the client communicates with other servers.

In this example, I show you that the ip.addr display filter can be used for a subnet.  You are probably familiar with this filter when filtering on a single device. What do you do if you need to filter on more than one host? The typical approach is to combine the ip.addr filter with an or. For example ip.addr==192.168.1.1 or ip.addr== 192.168.1.2 is one way to capture from two hosts.

  

 

Continue reading "IP Subnet Wireshark Display Filter (by Tony Fortunato)" »