Wireshark workshop with basic functions and tips for troubleshooting network problems.

1. Wireshark Workshop
Fabio Rosa / Systems Engineer

2. What is it?!







World’s most famous network protocol analyzer
Powerful live-capture and display filter
Used to be “Ethereal”
Deep inspection of hundred of protocols, and more being
added each day…
Multi-platform, runs on Windows, Linux, OS, Solaris, FreeBSD,
NetBSD,VxWorks, Android, and much more.
Open/save many capture formats: tcpdump (libpcap), Microsoft
Network Monitor, and proprietary (WildPackets *peek, CA
Sniffer, RADCOM, and many others)
The sponsorship (CACE) recently owned by Riverbed. (Don’t
want to talk about it…)

3. Agenda:










Tool introduction
The Capture Screen
Performing a Simple Capture
Capture options (promiscuous mode, name resolution,
buffer size, etc…)
Display Filters
Sample Capture - DNS and HTTP (www.ebay.com)
Sample Capture - ICAP
Annex A – Handling Duplicate Packets
Annex B – Useful Websites
Annex C – HTTP Status Codes.

4. Introduction


It’s a Network Analyzer!
Will capture network packets and display them as
detailed as possible

Custom Capture: All packets destined to the WS Wkst.


Good to sniff traffic intended to the PC or server where Wireshark is
installed
Promiscuous mode: All packets on the wire



Good to sniff communication between multiple devices (ex. From
Proxy, sniff DNS, Client, OCS, and so on…) / Diagnose problems.
Can be captured on a mirrored port, SPAN or Network TAP for full
network visibility.
How it works? Network If. Uses the L2 address of FF:FF:FF:FF:FF:FF
and parses all packets on the wire, instead of dropping the packets
intended to other network devices.

5. The Capture Screen
Captured Packet List
Protocol Decode
HEX Decode

6. Simple Capture

7. Capture Options
Enable Promiscuous mode
Limit packet size, if you
don’t want to analyze the
payload. (Only headers)
Personalize Display options
Personalize Name
Resolution
-
MAC: vendor list (very useful)
Network: RDNS resolution
Do not enable … can slow
down things
Transport: Protocol name (very
useful)

8. Display Filters


Use the filter box to
enter the filter
expression
The expressions can
be saved into the
Filter Profile, for
future use.

9. Display Filters (cont.)

Filter Expression example:

Ethernet




Internet Protocol




Ip.addr ==
Ip.src / Ip.dst ==
Ip.dsfield == 0x00
TIP
• You can see the whole expression list
using the “Expression” box on the
toolbar
• Its possible to search options using the
“/” key
• Use Boolean operators (AND, OR,
NOT)
TCP


Eth.addr ==
Eth.src / Eth.dst ==
Eth.vlan.id ==
Tcp.flag.syn / tcp.flag.ack / tcp.flag.fin == 0 or 1
Application or Protocol

HTTP, DNS, ICAP, ICMP, SOCKS…

In case a protocol is being decoded by a wrong “dissector” you can change it
with the “Decode As…” option.

10. Display Filters (cont. 2)

You can create filters based on the options, selected
directly from the packet capture.

Apply as a Filter


Prepare as a Filter


The filter is applied with the selected parameter
The filter expression is written at the “Filter” bar on the top.
Colorize as a Filter

The packets matched by the filter can be colorized with custom
colors.

11. Sample Capture #1









Capture: Open www.ebay.com at the browser
Open Summary (check throughput, size, packets)
Select: “Follow TCP Stream”
Configure “Manually Resolve Address”
Configure the “Delta Time” column – Check server
response time.
Show “Statistics > Endpoints”
Show “Statistics > Conversations”
Show “Statistics > IO Graphs”
Extract HTTP objects from the capture “File > Export >
Objects > HTTP”

12. Sample Capture #2









Open Capture with ICAP example
Check Origin and Destination Address
Configure “Manually Resolve Address” for Proxy, AV and
DNS
Create a Display Filter for ICAP traffic only
Check server response time on “Delta Time”
Select a session and “Follow TCP Stream”
Open Summary (check throughput, size, packets)
Check server requests, response and health-check.
Its also possible to retrieve HTTP objects from an ICAP
connection.

13. Annex A: Duplicate Packets

Dup. Packets due to Network Retransmission


If a sending host thinks a packet is not transmitted correctly
because of Packet Loss, it might Retransmit that packet. The
receiving host might already got the first packet, and will
receive a second one, which is a duplicated packet.
To remove this packets use the filter:


not tcp.analysis.duplicate_ack and not tcp.analysis.retransmission
Dup. Packets due to Routing or switching loop.


This packets can be seen when sniffing trough a mirrored port
or network TAP.
Use the “editcap.exe” at %ProgramFiles%/Wireshark/ to
remove them.

Example: editcap -d capture.pcap dedup.pcap

14. Annex B: Useful Websites

Download Wireshark!

www.wireshark.org


This workshop was created using version 1.6.0
Capture examples:

http://wiki.wireshark.org/SampleCaptures


The SampleCapture area at the wireshark.com website has a good list
of capture examples.
http://packetlife.net/captures/

One of the greatest IT/Telecom blogs … offer great capture examples
and Network Posters with protocol detail.

15. Annex C - HTTP Status Codes


1xx – Informational
Codes
2xx – Success






200 OK

3xx – Redirection





300 Multiple
Choices
301 Moved
Permanently
302 Found
304 Not Modified
307 Temporary
Redirect
4xx – Client Error


400 Bad Request
401 Unauthorized
403 Forbidden
404 Not Found
410 Gone
5xx – Server Error




500 Internal Server
Error
501 Not
Implemented
503 Service
Unavailable
550 Permission
denied

16. Questions?