wireshark basics
TRANSCRIPT
NDI Communications - Engineering & Training
Network analysis Using WiresharkPresented by: Yoram Orzach, NDI
Page 2
Chapter Content
A few words about troubleshooting tools
Wireshark – basics
Wireshark – advanced features
Case studies
Page 3
Network TS Tools
By the end of this lesson, you will be able to understand and
use:
1. PC tools – Ping, Tracert ,Netstat, ARP …..
2. Access to communication equipments – Switches, Routers ….
3. Protocol analyzers – Wireshark (former Ethereal), Sniffer® …..
4. SNMP tools – SNMPc, Whatsup Gold, HP-OV NNM …..
5. Special tools – Netflow, Solawinds …..
6. Dedicated analyzers – Agilent, Spirent, …..
Page 4
1. PC Tools - Ping, Tracert ,Netstat, ARP …..
End to end basic connectivityFirst “filling” of the network behavior
To ISP
Page 5
2. Access to communication equipments – Switches, Routers, ….
Local data – counters in equipment itself
For local problem isolation
To ISP
Page 6
3. Protocol analyzers – Wireshark (former Ethereal), Sniffer® …..
Local, in-depth, packet-by-packet protocol analysis of network traffic
Network, hardware and application behavior
To ISP
Page 7
4. SNMP tools – SNMPc, Whatsup Gold, HP-OV NNM …..
Continues monitoring and mappingEvents and notificationsMaps systemMostly SNMP based
To ISP
Page 8
5. Special tools – Netflow, Solawinds …..
Traffic analysis, engineering tools etc …
To ISP
Page 9
6. Dedicated analyzers – Agilent, Spirent, …..
Simulators, applications tests etc …
To ISP
Page 10
Were to Locate the Wireshark?
To ISP
For server monitoring:Connect the laptop to the LAN switch, with port mirror to the monitored server
For WAN monitoring:Connect the laptop to the LAN switch, with port mirror to the monitored router
For Internet connectivity monitoring:Before or after the Firewall
Page 11
Chapter Content
A few words about troubleshooting tools
Wireshark – basics
Wireshark – advanced features
Case studies
Page 12
How to Connect to the Network
Monitoringport
SDSD SD SD
Monitoredport
Test method:Port monitor on LAN switchIn parallel on a hub *if have any
Page 13
The Interface (Version 1.2.0)
Page 14
What can we do with it, and what we Cannot?
What we can:Capture packets
Watch smart statistics
Define filters – capture and display
Analyze problems
What we cannot:It is not and automatic tool
It is not suitable for long-term monitoring
It is not a “magic” tool
Page 15
TCP/IP Protocol Stack - Reminder
T.R.
F.R.Ethernet
DialUp ISDN
ATM
IP ICMP
TCP UDP
Telnet SNMPHTTPFTP DNSSMTP
ARP
OSI Layer 1/2
OSI Layer 3
OSI Layer 4
OSI Layer 5-7
Page 16
Data Structure
Over-head Data Layer 4
Err(Op.)
DataOver-head Layer 3
Err(Op.)
Data Layer 1
Over-head Data Layer 2
Err(Op.)
Over-head Data Layer 5-7
Err(Op.)
Page 17
Data Structure
Page 18
Data Flow
Server Router Router
Public DataNetwork Eth.Eth.Eth.Eth.
Host
Bit stream
OH Data EIP (L3)
OH Data ETCP (L4)
OH Data EHTTP (L-5/6/7)
OH Data EEthernet (L2)
Bit stream
OH Data E
OH Data E
OH Data E
OH Data EFR (L2)
Bit stream
OH Data E
OH Data E
OH Data E
OH Data E
Page 19
Frame Format – Ethernet II / 802.3
bytes
Dest.Address
SourceAddress Type
6 6 2
IP IPX AppleTalk
CRC
4
PadDataPA
8
Ethernet II
IEEE 802.3
Dest.Address
SourceAddress Length
6 6 2
CRC
4
Pad
Length
DataPA SFD
7 1
Page 20
Ethernet Frame Example
Page 21
IP Datagram Format
Bit stream
H Data E Ethernet (L2)
H Data IP (L3)
H Data E TCP (L4)
H Data E HTTP (L-5/6/7)
This is the IP header
Page 22
IP Datagram Format
Ver Length
32 bits
Data (variable length,typically a TCP
or UDP segment)
16-bit identifier
Internet checksum
Time tolive
32 bit source IP address
Head.len
Type ofservice
flgs Fragment offset
Upper layer
32 bit destination IP address
Options (if any)
IP protocol version number
Header Length
(in bytes“Type” of
dataTotal datagram length (in bytes
For fragmentation
and reassemblyMax. no. remaining hops (decremented
at each router)
Upper layer protocol to which
payload is delivered
E.g. timestamp, record route taken,
specify list of routers to visit
Page 23
Page 24
IP Packet Example
Page 25
UDP Frame Structure
There are only four fields in the UDP header:
Source portDestination portMessage lengthMessage checksum
source port # dest port #
32 bits
Applicationdata
(message)
UDP segment format
length checksum
Length, inbytes of UDPsegment,includingheader
Frame checksum
Page 26
TCP Message Structure
source port # dest port #
32 bits
applicationdata
(variable length)
sequence numberacknowledgement number
rcvr window sizeptr urgent datachecksum
FSRPAUheadlen
notused
Options (variable length)
URG – Urgent data (generally not used
ACK: ACK # valid
PSH - Push data now
RST – Connection RESET
Ack numbers to confirm data arrival
# of bytes rcvr is willing to accept
SYNC – Start session
FIN – End session
In case of URG pointer, indicates the data location
Options
Numbering of sent data
Port Numbers
Page 27
TCP Packet Example
Page 28
Some Problems that Happened ….
1. A heavy load (nearly nothing works), from remote offices to the center
2. Very slow connection to an http server farm behind a load balancer
3. Slow DB server response
4. Slow application
5. Is it a problem?
Wait and see howthey were solved
Page 29
Choose the Interface and Start the Capture
Page 30
And You Will Get:
PacketList
PacketDetails
PacketBytes
Page 31
Or – Define Capture Options
Buffer size – in order not to fill your laptop disk
Capture all packets on the network
Capture filter
Capture in multiple files
When to automatically
stop the capture
Display options
Name resolution
options
Page 32
And if you want to see some details:
Example (W-LAN):Received Signal Strength Indication (RSSI) and Link speed (BW)
Page 33
Example 1 – HTTP session Opened
SYN
SYN, ACK
ACK
Page 34
But why bother? Wireshark give it to you!
Flow Graph:Is giving us a graphical flow, for better understanding of what we see
Page 35
Here we go
Page 36
But What Happened Here ???
Retransmissions, Duplicate Ack, Previous segment loss …..
Page 37
Capture Filters
Capture Interfaces Options:
Filter examplesether host 00:08:15:00:08:15host 192.168.0.1tcp port httptcp port 23 and src host 10.0.0.5
Page 38
Page 39
Example #2– Capture traffic to www.ynet.co.il
Capture filter definition:Host www.ynet.co.il
Page 40
Display Filters
Page 41
Example #3 – Filter Traffic Between Hosts
SDSDSD
172.16.100.111
172.16.100.12
Port mirror to be configured from the laptop, to
The Server port or The PC port
Page 42
Example #3 – Filter Traffic Between Hosts
ip.addr == 172.16.100.111 and ip.addr == 172.16.100.12
Page 43
Example #4 – Filter Traffic Between Hosts
To ISP
Port mirror to be configured from the laptop, to the router port
192.168.101.253
Page 44
Example #4 – Filter Traffic Between Hosts
ip.addr == 192.168.101.253
Page 45
Statistics – Protocol Hierarchy
Page 46
Statistics - Conversations
With some manipulation
Page 47
Statistics – Conversations - What can we do with it?
On Layer-2 (Ethernet) – To find and isolate broadcast storms
And then to go to the switch, and find the troublemaker
Page 48
Statistics – Conversations - What can we do with it?
On Layer-3/4 (TCP/IP) – To connect in parallel to the Internet router port, and check who is loading the line to the ISP
And then to go to him/her, and ask questions ……
Page 49
Statistics – I/O Graph
During an HTTP download, we see the following I/O graph:
Is it a problem, or just the way it works ???
Page 50
Saving and Manipulating Files
Save only displayed packets
Page 51
Saving and Manipulating Files
Save to XLS file
Page 52
And You Will Get:
Additional calculation for finding the DELAY
Page 53
Filtering a Specific TCP Stream
Page 54
Filtering a Specific TCP Stream
Page 55
Colorizing Specific DataWe want to watch a specific protocol through out the capture file
Page 56
Colorizing Specific Data
Page 57
Colorizing Specific Data
Page 58
Colorizing Specific Data (TLS Connection Establishment)
Page 59
Chapter Content
A few words about troubleshooting tools
Wireshark – basics
Wireshark – advanced features
Case studies
Page 60
Analyze – Expert Info Composite
Page 61
What is Retransmission?
Page 62
Take a pen and paper (colors will help), and try to figure out what happened …
212.143.162.136 192.168.2.100
Frame 555, SEQ 725, ACK 191
Frame 600, SEQ 191, ACK 1349
9.938940
10.137339
Frame 601, SEQ 1643, ACK 134910.138715
Frame 602, SEQ 1349, ACK 309510.138.757
Frame 603, SEQ 3095, ACK 134910.138860
Frame 604, SEQ 1349, ACK 310510.138.757
Frame 639, SEQ 191, ACK 134910.589888
Retransmission
RTO Expires10.137339-10.589888=0.4525 Sec
Happens when:Lost frame (RTO Expires)Cause:Slow server/PCErrors / Packet lossSudden increase in delay
Page 63
What is DupAck (Duplicate Ack)?
212.143.162.136 192.168.2.100
Frame 555, SEQ 725, ACK 191
Frame 600, SEQ 191, ACK 1349
9.938940
10.137339
Frame 601, SEQ 1643, ACK 134910.138715
Frame 602, SEQ 1349, ACK 309510.138.757
Frame 603, SEQ 3095, ACK 134910.138860
Frame 604, SEQ 1349, ACK 310510.138.757
Frame 639, SEQ 191, ACK 134910.589888
RTO Expires10.137339-10.589888=0.4525 Sec
Frame 640, SEQ 2023, ACK 310510.589923
Frame 641, SEQ 3095, ACK 134910.595574
Frame 642, SEQ 2023, ACK 310510.595610
Frame 644, SEQ 3105, ACK 202310.595574
Happens when:Unexpected (not in order) sequence numberCause:Strong delay variations
DUPACK
DUPACK
Page 64
Statistics – TCP Stream Graph
Page 65
Round-Trip Time Graph
RTT Vs. Sequence numbers gives us the time that take to Ack every packet.In case of variations, it can cause DUPACKs and even Retransmissions Usually will happen on communications lines:
Over the InternetOver cellular networks
Page 66
Time / Sequence Graph (Stevens) (#1)
Seq No [B]
Time [Sec]
Time / Sequence representes how sequence numbers advances with timeIn a good connection (like in the example), the line will be linearThe angle of the line indicates the speed of the connection. In this example – fast connection
Page 67
Time / Sequence Graph (Stevens) (#2)
Seq No [B]
Time [Sec]
In this case, we see a non-contiguous graphCan be due to:
Severe packet lossServer response (processing) time
Page 68
Example A - Stable Performance File Transfer
Page 69
Example A - Stable Performance File Transfer
A stable throughput of around 1MB/8Mb per secondIt is important to test in parallel with SNMP tool for channel capacity
Page 70
Example B – Non-Stable Performance Mail Transfer
Page 71
Example B – Non-Stable Performance File Transfer
Something happened here
)After ~5.25 Seconds(
Page 72
Example B – Non-Stable Performance File Transfer
5.25 seconds after start of stream, we don’t see any connectivity problems –
probably slow server/applications
Page 73
RTP Connectivity
Stable stream
BW
Page 74
Chapter Content
A few words about troubleshooting tools
Wireshark – basics
Wireshark – advanced features
Case studies
Page 75
Case Study #1 – Remote offices become very slow
To ISP
Test methodology:With NSMP, measure traffic to center
Result – heavy traffic
With Wireshark, test who generates the traffic
192.168.110.0/24
Page 76
Case Study #1 – Remote offices become very slow
Page 77
Case Study #1 – Remote offices become very slow
WARM!!!
Page 78
Case Study #1 – Remote offices become very slow
You can see it also in:Statistics Conversations IPv4
Page 79
Case #2 – Slow HTTP Server Response
192.168.200.227
LB192.168.3.50
192.168.1.58192.168.1.46192.168.1…..
192.168.2.138
Page 80
Case #2 - Client Side
Page 81
Case #2 - Server Side
Page 82
Case #3 – Slow DB Response
10.2.1.10510.1.1.7
Frame RelayNetwork (Year 2000)
Page 83
Case #3 – Slow DB Response
Connection Establishment
Page 84
Case #3 – Slow DB Response
And more packets (900+ since beginning of
connection)..…
Page 85
Case #3 – Slow DB Response
And more packets (2000+ since beginning of
connection)..…
40mS delay between packets
2000Packets * 40mSec = 80Sec application delay !!!
Page 86
Case #4 – Another Slow Application
Page 87
Case #4 – Another Slow Application
Analyze – Exert Info Composite gives us:
Something here stinks …..
Page 88
Case #4 – Another Slow Application
Strong RTT Variations !!!(a problem with client-server)
Page 89
Case #4 – Another Slow Application
Page 90
Case #5 - Do we have a Problem ???
Page 91
Case #5 – and the Throughput Graph Shows …
Ooops …..But, is it really a problem ???
Page 92
Case #5 – Expert Info Composite shows ….
Ooops …..Nearly no events over here ……..
Page 93
Case #5 – This is what the application does ….
Interactive open/close read/write applicationThis his what it requires from the network ….
Page 94
Case #6 – FTP over Cellular Connection
Page 95
Summary