63 posts categorized "Wireshark" Feed

Wireshark Decode As Feature (By Tony Fortunato)

Wireshark does a great job Identifying, Decoding, Dissecting and presenting packets and their associated packets.

Every so often you may find that Wireshark doesn’t figure out the protocol and leaves you with a bunch of TCP or UDP packets.

In this video I show how to quickly teach Wireshark what the protocol should be.

Even if you don’t know the protocol, you might be able to look in the Bytes pane to figure out what it should be.

Enjoy.



Continue reading other LoveMyTool posts by Tony Fortunato »


Linkedin Profile http://ca.linkedin.com/in/fortunat

Lovemytool Blog: http://www.lovemytool.com/blog/tony-fortunato/

Network Computing Blog: http://www.networkcomputing.com/author-bio.asp?author_id=2332

Garland Technology Blog: http://www.garlandtechnology.com/blog/author/tony-fortunato

Youtube Channel: http://www.youtube.com/user/thetechfirm

Google Plus: http://plus.google.com/+Thetechfirmplus


Lessons from Sharkfest US 2017 (by Chris Greer)

Sharkfest 2017

Sharkfest turned 10!

Last month, hundreds of Wireshark users, developers, and trainers came together for the 10th annual Sharkfest conference at Carnegie Mellon University in Pittsburgh. Packet-heads from all over the globe could mix and mingle with the likes of Gerald Combs, Laura Chappell, Jasper Bongertz, and Hansang Bae, just to name a few.

For me, Sharkfest is always a highlight of the year. Where else can you ditch the trade-show marketing super-hype and just get down to the wire with the world’s best packet analysts? Network engineers should definitely put this event on their bucket lists, no matter what their experience level with Wireshark and packet analysis.

In recent years, the fine folks who host Sharkfest have approved of having the sessions recorded, making them available on demand. If you have not yet done so, stop by the Sharkfest retrospective page to check out some of the sessions – sharkfest.wireshark.org/sf17

Suggested sessions:

  1. Hansang Bae always does a great job of showing real-world scenarios of how to packet dig. In his session he goes into some case studies of rare packet-level issues that engineers face today. His session video is not yet on the page but I’m sure it soon will be.
  2. Kary Rogers from Packetbomb did a practical session on Understanding Throughput and TCP Windows. Be sure to check that one out – recording available.
  3. Betty DuBois did a very nice session for newbies entitled “Rookie to Vet in 75 minutes”. Although the session recording is not yet available, she did an awesome job on her presentation – definitely check it out!

My notes:

Continue reading "Lessons from Sharkfest US 2017 (by Chris Greer)" »


Network Troubleshooting Tip - Using Markers to Cut Trace Analysis Time (by Paul Offord)

When we get to the point in an investigation where we are about to break out Wireshark, the complexity of the packet analysis can seem quite daunting. And yet, by covering a few key points, we can dramatically cut the time needed to analyze any diagnostic data.

In my previous post we looked at the importance of a basic understanding of the topology of the system under investigation. In this blog I'll cover the use of markers; a ridiculously simple, but amazingly powerful, concept.  A marker places a distinctive packet in network packet trace data that we can easily find with Wireshark.

The RPR manual contains six pages of information on markers, covering suggested markers and what to use them for.  If you haven't used markers before you are in for a real treat.  Once you get the hang of them, you'll wonder how you ever did without them.

Let's imagine you've been investigating an intermittent slow response time problem for a bunch of users.  Nobody is quite sure what's causing the problem, although the application and platform teams insist it's not them.  You know the drill; if the cause isn't obvious it must be the network, right?

Billions_of_packets

Luckily, a user experienced the problem this morning, and you had packet traces running.  The bad news is that you have 500 GB of trace data (about 5 billion packets) and the user is vague about the time of the problem.

The first strategy ...

Continue reading "Network Troubleshooting Tip - Using Markers to Cut Trace Analysis Time (by Paul Offord)" »


Saving Specific Packets With Wireshark (by Tony Fortunato)

I’ve received a few requests to update some of the Wireshark basic skill videos since the user interface has changed in version 2.

I just got an email from a new Wireshark user asking how to save packets that result from a display filter.

In this video I cover that procedure and look forward to creating more updated videos

 

 

 

Continue reading other LoveMyTool posts by Tony Fortunato »


The Payoff of having a double sided capture! (by Mike Motta)

The complaint came in that it was taking from 4 to 20 minutes to transfer data.

Why is the network slow?  Is it the network?

Could it be the infamous SNAIL problem?

Snail

At first the client sent me a trace only from the client side.  The trace file showed packets out of order and some re-transmissions along with low TCP windows.  I asked the client if it was possible to get a capture from both sides, client and server and the answer was “yes” (In my world that is the best way to eliminate any magic!)  

First: I looked at the server side trace file first.  It showed the server re-transmitting over a thousand times.  (Uh Oh)   

By having both sides I was able to prove that the server did indeed send the packet but the client did not receive it. 

We can also see that they are 5 hops from each other, which means something is dropping packets. 

Next : It is time to interrogate router interfaces and firewall interfaces for discards or drops. 

Watch this Video for the problem visibility process, guiding us to the issue at https://youtu.be/WW0SjeeteK8 

Get a TAP to see every bit of your Data!

Continue reading "The Payoff of having a double sided capture! (by Mike Motta)" »


Are My Packets Lying? – Four Things To Look For In Packet Traces (by Chris Greer)

Blog-Are my Packets Lying

Packets don’t lie – well, most of the time.

Packets will tell you the truth unless they have been captured incorrectly. In those cases, packets can tell bold-faced lies.

When digging through trace files, we can come upon symptoms in the packets that may raise an eyebrow. These are events that look strange on the surface and may even divert our troubleshooting focus for a time. In fact, some of these issues have misdirected engineers for hours, if not days, causing them to chase down issues and events that simply did not exist on the wire.

Most of these examples can be avoided simply by capturing the packets from a tap rather than on the machine generating the traffic. Come on, you know you have needed a tap for a while! Just spring for one and capture correctly next time. By the way, when you do make that decision, check out our buddies at Garland Technology. They make great stuff and they are nice people too!

  1. Very large packets

Continue reading "Are My Packets Lying? – Four Things To Look For In Packet Traces (by Chris Greer)" »