wireshark basics

NDI Communications - Engineering & Training

Network analysis Using WiresharkPresented by: Yoram Orzach, NDI

Chapter Content

A few words about troubleshooting tools

Wireshark – basics

Wireshark – advanced features

Case studies

Network TS Tools

By the end of this lesson, you will be able to understand and

use:

1. PC tools – Ping, Tracert ,Netstat, ARP …..

2. Access to communication equipments – Switches, Routers ….

3. Protocol analyzers – Wireshark (former Ethereal), Sniffer® …..

4. SNMP tools – SNMPc, Whatsup Gold, HP-OV NNM …..

5. Special tools – Netflow, Solawinds …..

6. Dedicated analyzers – Agilent, Spirent, …..

1. PC Tools - Ping, Tracert ,Netstat, ARP …..

End to end basic connectivityFirst “filling” of the network behavior

To ISP

2. Access to communication equipments – Switches, Routers, ….

Local data – counters in equipment itself

For local problem isolation

To ISP

3. Protocol analyzers – Wireshark (former Ethereal), Sniffer® …..

Local, in-depth, packet-by-packet protocol analysis of network traffic

Network, hardware and application behavior

To ISP

4. SNMP tools – SNMPc, Whatsup Gold, HP-OV NNM …..

Continues monitoring and mappingEvents and notificationsMaps systemMostly SNMP based

To ISP

5. Special tools – Netflow, Solawinds …..

Traffic analysis, engineering tools etc …

To ISP

6. Dedicated analyzers – Agilent, Spirent, …..

Simulators, applications tests etc …

To ISP

Were to Locate the Wireshark?

To ISP

For server monitoring:Connect the laptop to the LAN switch, with port mirror to the monitored server

For WAN monitoring:Connect the laptop to the LAN switch, with port mirror to the monitored router

For Internet connectivity monitoring:Before or after the Firewall

Chapter Content




Case studies

How to Connect to the Network

Monitoringport

SDSD SD SD

Monitoredport

Test method:Port monitor on LAN switchIn parallel on a hub *if have any

The Interface (Version 1.2.0)

What can we do with it, and what we Cannot?

What we can:Capture packets

Watch smart statistics

Define filters – capture and display

Analyze problems

What we cannot:It is not and automatic tool

It is not suitable for long-term monitoring

It is not a “magic” tool

TCP/IP Protocol Stack - Reminder

T.R.

F.R.Ethernet

DialUp ISDN

ATM

IP ICMP

TCP UDP

Telnet SNMPHTTPFTP DNSSMTP

ARP

OSI Layer 1/2

OSI Layer 3

OSI Layer 4

OSI Layer 5-7

Data Structure

Over-head Data Layer 4

Err(Op.)

DataOver-head Layer 3

Err(Op.)

Data Layer 1

Over-head Data Layer 2

Err(Op.)

Over-head Data Layer 5-7

Err(Op.)

Data Structure

Data Flow

Server Router Router

Public DataNetwork Eth.Eth.Eth.Eth.

Host

Bit stream

OH Data EIP (L3)

OH Data ETCP (L4)

OH Data EHTTP (L-5/6/7)

OH Data EEthernet (L2)

Bit stream

OH Data E

OH Data E

OH Data E

OH Data EFR (L2)

Bit stream

OH Data E

OH Data E

OH Data E

OH Data E

Frame Format – Ethernet II / 802.3

bytes

Dest.Address

SourceAddress Type

6 6 2

IP IPX AppleTalk

CRC

4

PadDataPA

8

Ethernet II

IEEE 802.3

Dest.Address

SourceAddress Length

6 6 2

CRC

4

Pad

Length

DataPA SFD

7 1

Ethernet Frame Example

IP Datagram Format

Bit stream

H Data E Ethernet (L2)

H Data IP (L3)

H Data E TCP (L4)

H Data E HTTP (L-5/6/7)

This is the IP header

IP Datagram Format

Ver Length

32 bits

Data (variable length,typically a TCP

or UDP segment)

16-bit identifier

Internet checksum

Time tolive

32 bit source IP address

Head.len

Type ofservice

flgs Fragment offset

Upper layer

32 bit destination IP address

Options (if any)

IP protocol version number

Header Length

(in bytes“Type” of

dataTotal datagram length (in bytes

For fragmentation

and reassemblyMax. no. remaining hops (decremented

at each router)

Upper layer protocol to which

payload is delivered

E.g. timestamp, record route taken,

specify list of routers to visit

IP Packet Example

UDP Frame Structure

There are only four fields in the UDP header:

Source portDestination portMessage lengthMessage checksum

source port # dest port #

32 bits

Applicationdata

(message)

UDP segment format

length checksum

Length, inbytes of UDPsegment,includingheader

Frame checksum

TCP Message Structure

source port # dest port #

32 bits

applicationdata

(variable length)

sequence numberacknowledgement number

rcvr window sizeptr urgent datachecksum

FSRPAUheadlen

notused

Options (variable length)

URG – Urgent data (generally not used

ACK: ACK # valid

PSH - Push data now

RST – Connection RESET

Ack numbers to confirm data arrival

# of bytes rcvr is willing to accept

SYNC – Start session

FIN – End session

In case of URG pointer, indicates the data location

Options

Numbering of sent data

Port Numbers

TCP Packet Example

Some Problems that Happened ….

1. A heavy load (nearly nothing works), from remote offices to the center

2. Very slow connection to an http server farm behind a load balancer

3. Slow DB server response

4. Slow application

5. Is it a problem?

Wait and see howthey were solved

Choose the Interface and Start the Capture

And You Will Get:

PacketList

PacketDetails

PacketBytes

Or – Define Capture Options

Buffer size – in order not to fill your laptop disk

Capture all packets on the network

Capture filter

Capture in multiple files

When to automatically

stop the capture

Display options

Name resolution

options

And if you want to see some details:

Example (W-LAN):Received Signal Strength Indication (RSSI) and Link speed (BW)

Example 1 – HTTP session Opened

SYN

SYN, ACK

ACK

But why bother? Wireshark give it to you!

Flow Graph:Is giving us a graphical flow, for better understanding of what we see

Here we go

But What Happened Here ???

Retransmissions, Duplicate Ack, Previous segment loss …..

Capture Filters

Capture Interfaces Options:

Filter examplesether host 00:08:15:00:08:15host 192.168.0.1tcp port httptcp port 23 and src host 10.0.0.5

Example #2– Capture traffic to www.ynet.co.il

Capture filter definition:Host www.ynet.co.il

Display Filters

Example #3 – Filter Traffic Between Hosts

SDSDSD

172.16.100.111

172.16.100.12

Port mirror to be configured from the laptop, to

The Server port or The PC port


ip.addr == 172.16.100.111 and ip.addr == 172.16.100.12


To ISP

Port mirror to be configured from the laptop, to the router port

192.168.101.253


ip.addr == 192.168.101.253

Statistics – Protocol Hierarchy

Statistics - Conversations

With some manipulation

Statistics – Conversations - What can we do with it?

On Layer-2 (Ethernet) – To find and isolate broadcast storms

And then to go to the switch, and find the troublemaker

Statistics – Conversations - What can we do with it?

On Layer-3/4 (TCP/IP) – To connect in parallel to the Internet router port, and check who is loading the line to the ISP

And then to go to him/her, and ask questions ……

Statistics – I/O Graph

During an HTTP download, we see the following I/O graph:

Is it a problem, or just the way it works ???

Saving and Manipulating Files

Save only displayed packets

Saving and Manipulating Files

Save to XLS file

And You Will Get:

Additional calculation for finding the DELAY

Filtering a Specific TCP Stream

Colorizing Specific DataWe want to watch a specific protocol through out the capture file

Colorizing Specific Data

Colorizing Specific Data (TLS Connection Establishment)

Chapter Content




Case studies

Analyze – Expert Info Composite

What is Retransmission?

Take a pen and paper (colors will help), and try to figure out what happened …

212.143.162.136 192.168.2.100

Frame 555, SEQ 725, ACK 191

Frame 600, SEQ 191, ACK 1349

9.938940

10.137339

Frame 601, SEQ 1643, ACK 134910.138715

Frame 602, SEQ 1349, ACK 309510.138.757

Frame 603, SEQ 3095, ACK 134910.138860

Frame 604, SEQ 1349, ACK 310510.138.757

Frame 639, SEQ 191, ACK 134910.589888

Retransmission

RTO Expires10.137339-10.589888=0.4525 Sec

Happens when:Lost frame (RTO Expires)Cause:Slow server/PCErrors / Packet lossSudden increase in delay

What is DupAck (Duplicate Ack)?

212.143.162.136 192.168.2.100

Frame 555, SEQ 725, ACK 191

Frame 600, SEQ 191, ACK 1349

9.938940

10.137339

Frame 601, SEQ 1643, ACK 134910.138715

Frame 602, SEQ 1349, ACK 309510.138.757

Frame 603, SEQ 3095, ACK 134910.138860

Frame 604, SEQ 1349, ACK 310510.138.757

Frame 639, SEQ 191, ACK 134910.589888

RTO Expires10.137339-10.589888=0.4525 Sec

Frame 640, SEQ 2023, ACK 310510.589923

Frame 641, SEQ 3095, ACK 134910.595574

Frame 642, SEQ 2023, ACK 310510.595610

Frame 644, SEQ 3105, ACK 202310.595574

Happens when:Unexpected (not in order) sequence numberCause:Strong delay variations

DUPACK

DUPACK

Statistics – TCP Stream Graph

Round-Trip Time Graph

RTT Vs. Sequence numbers gives us the time that take to Ack every packet.In case of variations, it can cause DUPACKs and even Retransmissions Usually will happen on communications lines:

Over the InternetOver cellular networks

Time / Sequence Graph (Stevens) (#1)

Seq No [B]

Time [Sec]

Time / Sequence representes how sequence numbers advances with timeIn a good connection (like in the example), the line will be linearThe angle of the line indicates the speed of the connection. In this example – fast connection

Time / Sequence Graph (Stevens) (#2)

Seq No [B]

Time [Sec]

In this case, we see a non-contiguous graphCan be due to:

Severe packet lossServer response (processing) time

Example A - Stable Performance File Transfer

Example A - Stable Performance File Transfer

A stable throughput of around 1MB/8Mb per secondIt is important to test in parallel with SNMP tool for channel capacity

Example B – Non-Stable Performance Mail Transfer

Example B – Non-Stable Performance File Transfer

Something happened here

)After ~5.25 Seconds(

Example B – Non-Stable Performance File Transfer

5.25 seconds after start of stream, we don’t see any connectivity problems –

probably slow server/applications

RTP Connectivity

Stable stream

BW

Chapter Content




Case studies

Case Study #1 – Remote offices become very slow

To ISP

Test methodology:With NSMP, measure traffic to center

Result – heavy traffic

With Wireshark, test who generates the traffic

192.168.110.0/24


WARM!!!


You can see it also in:Statistics Conversations IPv4

Case #2 – Slow HTTP Server Response

192.168.200.227

LB192.168.3.50

192.168.1.58192.168.1.46192.168.1…..

192.168.2.138

Case #2 - Client Side

Case #2 - Server Side

Case #3 – Slow DB Response

10.2.1.10510.1.1.7

Frame RelayNetwork (Year 2000)


Connection Establishment


And more packets (900+ since beginning of

connection)..…


And more packets (2000+ since beginning of

connection)..…

40mS delay between packets

2000Packets * 40mSec = 80Sec application delay !!!

Case #4 – Another Slow Application


Analyze – Exert Info Composite gives us:

Something here stinks …..


Strong RTT Variations !!!(a problem with client-server)

Case #5 - Do we have a Problem ???

Case #5 – and the Throughput Graph Shows …

Ooops …..But, is it really a problem ???

Case #5 – Expert Info Composite shows ….

Ooops …..Nearly no events over here ……..

Case #5 – This is what the application does ….

Interactive open/close read/write applicationThis his what it requires from the network ….

Case #6 – FTP over Cellular Connection

Summary