1.
Wiresark, Tcpdump and
Network Performance Tools
Sachidananda Sahu

2.
AGENDA
• INTRODUCTION
• WHY AND HOW TO ANALYSE PACKET ?
• FUNDAMENTALS OF ANALYSING NETWORK PACKETS
• PACKET ANALYSIS TOOLS TCPDUMP, TSHARK AND WIRESHARK
• WIRESHARK DESIGN FRAMEWORK
• ANALYZING PROTOCOL USING WIRESHARK
• FILTERS AND STATISTICS IN WIRESHARK
• FUNDAMENTALS OF MEASURING NETWORK PERFORMANCE
• NETWORK PERFORMANCE MEASUREMENT TOOLS BMON, IPERF
• Q & A
• CONCLUSION
• REFERENCES
Radisys Corporation - CONFIDENTIAL

3.
Introduction
• In this present era most of the devices are connected with internet.
• They should be AVAILABLE always
• They should be RELIABLE always
• They should PERFORM better always
• Consider a simple home network
• Consider this real time complex network
• Think about a situation if there is problem in one device ?
• So we need some tools
• Which can help us to debug , monitor, analyse the data.
• Which can also measure performance and also can give us statistical info.
Image Source: makeuseof.com
Image Source: afnog meet

4.
Why and How to analyse packet ?
 Why to Analyse ?
 Analyze network problems
 Detect intrusion attempts
 Identify network misuse
 Content monitoring
 Bandwidth usage analysis
 Gathering network status
 How to Analyse ?
 Sniff the packets
 Analyze the Protocol/Packets
 Monitor the Packets
 Tools To Analyse ?
 Tcpdump, Tshark, wireshark
 Nagios, Splunk, Total Network Monitor
 And many more …

5.
Fundamentals of analyzing network packets
Switch OS BufferNIC Disk
Applicatio
n Buffer
Visualization of a packet in a system
Visualization of data at different layer
Places to analyze packet
Matryoshka doll

6.
Packet Analysis Tools
 Common points
 They act as protocol analyzer
 They able to understand the protocols and show us packet by packet.
 They relate packets to give info about sequence of packets.
 They apply filter to analyze packet of interest.
 Tcpdump
 Unix-based command-line tool used to intercept packets.
 Supports most of the protocols tcp,udp, icmp and many more …
 Tshark
 Same unix based command line tool
 Similar to tcpdump in behavior and option
 It also supports extra protocols and new options
 Wireshark
 Graphical version of Tcpdump/Tshark.
 Wireshark has both qt version and gtk version for graphics.

7.
Wireshark Design Framework
Wireshark Traffic Handling
Wireshark System Overview

8.
For the love of Command Line …
Tcpdump/tshark options
 –D: Shows all interfaces available
 -i <interface>
 tcpdump –i any <protocolname>
 -w <FileToWrite>
 -r <ReadFromFile>
 -Y <protocolname>
 -c <No of packets>
 -V show all information about the packets
 capinfo <capture filename>
 tcpdump –I <interface> host <ipaddress>
 -q –z expert shows details of packet staticstics
 -q –z expert, error
 -q –z expert, hosts
 -q –z io, stat,5

9.
For the love of Graphical Interface …
Packet List Panel
Packet Details Panel
Packet Byte Panel
Packet Filter
Let’s
start
Wireshark,
And see the
packet
you are
sending and
receiving in
your system
…

10.
Analyzing a TCP Based Application
Field’s under interest
• Source IP
• Source Port
• Destination Ip
• Destination Port
• Data Transmitted
Image Source: superuser.com

11.
Wireshark Filters
 Tools generally capture packets of all types(protocol/host/port etc ) in which we may not be interested most of the time 
 Filtering in tools helps us to capture/view packets of our interest.
 Capture Filter
 Capture only interested packets, done during capture phase only
 Used to reduce the size of a raw packet capture
 Capture filter is nothing but what we do during tcpdump/tshark
 tcpdump <protocolname>
 Capture->Capture Filters : Add/Delete or select predefined filters
 host 192.168.10.2
 tcp src port 9000
 tcp port 9000 and not src host 192.168.10.2
 Display Filter
 Capture all, but show only interested packets, applied after capturing all.
 Used to hide some packets from the packet list.
 Display filter can be applied any time in the wireshark GUI
 ip.addr == 192.168.10.2
 tcp.port in { 80,12000, 24 }
 tcp.port == 80 || tcp.port == 12000 || tcp.port == 24

12.
Wireshark Statistics
 Wireshark provides a wide range of network statistics.
 Number of captured packets in a session
 Number of specific protocol packet (HTTP requests and responses) captured
 Statistics -> Summary - overall summary of the packet capture
 Statistics -> Protocol Hierarchy - breakdown of the various protocols
 Statistics -> Conversations - list of each individual “conversation” between endpoints
 Statistics -> Endpoints - list of source and destination addresses
 Statistics -> Service Response Time - display the time between a request and it’s
response
 Statistics -> Flow Graph – Showing the flow of traffic

13.
Fundamentals of measuring network performance
 It is the analysis and review of collective network statistics, to define the quality of services offered by
the underlying computer network.
 It helps to review, measure and improve the network services.
 Broadly, network performance is measured by reviewing the statistics and metrics of following
parameters.
Speed
Bandwidth
Network Delay,
Latency
Data Loss
Throughput

14.
Fundamentals of measuring network performance …

15.
Fundamentals of measuring network performance
 Terms for network performance and monitoring
 Speed – Available circuitry data
 Network bandwidth or capacity - Available data transfer
 Network throughput - Amount of data successfully transferred over the network in a given time
 Network delay, latency and jittering - Any network issue causing packet transfer to slow than usual
 Data loss and network errors - Packets dropped or lost in transmission and delivery
 Packet per second - Number of packets of data per second that can be processed before dropping data
 Connection per second - Rate at which a device can establish state parameters for new connections.
 Transaction per second - Number of complete actions of a particular type that can be performed per second.
 Maximum concurrent connection per second - Total number of sessions (connections) about which a device can
maintain state simultaneously.
 Tools for measuring network performance and monitoring
 bmon, iperf, iftop, vnstat , nload etc … and more at http://www.slac.stanford.edu/xorg/nmtf/nmtf-tools.html

16.
bmon
 It’s a text based badwidth monitor and rate estimator tool which captures bandwidth related statistics and
display them visually over command prompt.
 Installing
 sudo apt-get install bmon
 Repo : https://github.com/tgraf/bmon
 man bmon
 Options
 -p : specific interface
 -r : read interval from source
 -R : update rate per counter
 Input modules
 Netlink ,Proc ,Netstat
 Output modules
 Curses, Ascii, Format, Null
 Usage
 bmon –p eth0,eth1
 bomn –p eth0 –R 5
 bmon –p eth*,!eth2

17.
iperf
 It measures the bandwidth and the quality of a network link. Jperf also does the same with additional graphical interface.
 It creates TCP,UDP,SCTP data streams by tuning various parameters and gives idea about network’s bandwidth, delay, jitter and data loss
values.
 Currently updated version is iperf3
 source code https://github.com/esnet/iperf
 sudo apt-get install iperf3
 Iperf3 options
 -s server
 -c client
 -t test duration timing
 -i periodic interval report
 -f [kmKM] formatting option
 -d, -r bi-directional bandwidths
 -p Specific port number
 -w TCP window size
 -b bandwidth setting
 -u set to udp
 -M maximum segment size
 -P parallel streams

18.
Iperf usage
 Usage
iperf3 –s
Iperf3 –c <serverIp>
Iperf3 –c <serverIp> -f K
Iperf3 –c <serverIp> -r
Iperf3 –c <serverIp> -d
Iperf3 –c <serverIp> -t 15
Iperf3 –c <serverIp> -i 2
Iperf3 –c <serverIp> -w 1200
iperf3 -c 10.1.1.1 -P 2
iperf3 –s –p 8001Iperf3 –c <serverIp> -p 8001
Iperf3 –c <serverIp> -u –b 1M
iperf3 –sIperf3 –c <serverIp> -M 1300 -m
iperf3 –s -u

19.
Q & A

20.
Conclusion
 Tools helps us to debug the network better.
 Tools helps us to understand the problem.
 Tools helps us to know the current performance.
 Tools helps us to know about usage utilization.
 Tools helps us to know about any security issues present in network.
 Tools helps us to experiment the new network technologies.

21.
References
 www.wireshark.com
 www.iperf.fr
 https://www.tecmint.com/
 http://www.cisco.com/c/en/us/about/security-center/network-performance-metrics.html
 https://openmaniak.com/
 SharkFest 2014, Andrew Brown
 Man page of tcpdump, wireshark, bmon, iperf
 Cliff Zou’s wireshark lecture
 Rich Macfarlane’s Lab
 Packet analysis using wireshark by Lisa Bock, Pennsylvnia College of Tech.
 Wireshark 101 ppt By Ravi Bhoraskar & book by Laura Chappell
 Some images, texts borrowed/stolen generously from all over the internet
 and some personal experience …

22.
Life is easy with wireshark …
Happy Wiresharkking 

23.
Thank You