Wireshark Basics

Network analysis Using Wireshark Presented by: Yoram Orzach, NDI

Chapter Content A few words about troubleshooting tools Wireshark – basics Wireshark – advanced features Case studies

Network TS Tools
By the end of this lesson, you will be able to understand and use:
PC tools – Ping, Tracert ,Netstat, ARP …..
Access to communication equipments – Switches, Routers ….
Protocol analyzers – Wireshark (former Ethereal), Sniffer ® …..
SNMP tools – SNMPc, Whatsup Gold, HP-OV NNM …..
Special tools – Netflow, Solawinds …..
Dedicated analyzers – Agilent, Spirent, …..

1. PC Tools - Ping, Tracert ,Netstat, ARP …..
End to end basic connectivity
First “filling” of the network behavior
To ISP

2. Access to communication equipments – Switches, Routers, ….
Local data – counters in equipment itself
For local problem isolation
To ISP

3. Protocol analyzers – Wireshark (former Ethereal), Sniffer ® …..
Local, in-depth, packet-by-packet protocol analysis of network traffic
Network, hardware and application behavior
To ISP

4. SNMP tools – SNMPc, Whatsup Gold, HP-OV NNM …..
Continues monitoring and mapping
Events and notifications
Maps system
Mostly SNMP based
To ISP

5. Special tools – Netflow, Solawinds …..
Traffic analysis, engineering tools etc …
To ISP

6 . Dedicated analyzers – Agilent, Spirent, …..
Simulators, applications tests etc …
To ISP

Were to Locate the Wireshark? To ISP For server monitoring: Connect the laptop to the LAN switch, with port mirror to the monitored server For WAN monitoring: Connect the laptop to the LAN switch, with port mirror to the monitored router For Internet connectivity monitoring: Before or after the Firewall

How to Connect to the Network Monitoring port S D S D S D S D Monitored port
Test method:
Port monitor on LAN switch
In parallel on a hub *if have any

The Interface (Version 1.2.0)

What can we do with it, and what we Cannot?
What we can:
Capture packets
Watch smart statistics
Define filters – capture and display
Analyze problems
What we cannot:
It is not and automatic tool
It is not suitable for long-term monitoring
It is not a “magic” tool

TCP/IP Protocol Stack - Reminder IP ICMP TCP UDP Telnet SNMP HTTP FTP DNS SMTP ARP OSI Layer 1/2 OSI Layer 3 OSI Layer 4 OSI Layer 5-7 T.R. F.R. Ethernet DialUp ISDN ATM

Data Structure Over- head Data Layer 4 Err (Op.) Data Over- head Layer 3 Err (Op.) Data Layer 1 Over- head Data Layer 2 Err (Op.) Over- head Data Layer 5-7 Err (Op.)

Data Structure

Data Flow Server Router Router Public Data Network Eth. Eth. Host Bit stream OH Data E IP (L3) OH Data E TCP (L4) OH Data E HTTP (L-5/6/7) OH Data E Ethernet (L2) Bit stream OH Data E OH Data E OH Data E OH Data E FR (L2) Bit stream OH Data E OH Data E OH Data E OH Data E

Frame Format – Ethernet II / 802.3 bytes Dest. Address Source Address Type 6 6 2 IP IPX AppleTalk CRC 4 Pad Data PA 8 Ethernet II IEEE 802.3 Dest. Address Source Address Length 6 6 2 CRC 4 Pad Length Data PA SFD 7 1

Ethernet Frame Example

IP Datagram Format H Data E Ethernet (L2) H Data IP (L3) H Data E TCP (L4) H Data E HTTP (L-5/6/7) This is the IP header Bit stream

IP Datagram Format Ver Length 32 bits Data (variable length, typically a TCP or UDP segment) 16-bit identifier Internet checksum Time to live 32 bit source IP address Head. len Type of service flgs Fragment offset Upper layer 32 bit destination IP address Options (if any) IP protocol version number Header Length (in bytes “ Type” of data Total datagram length (in bytes For fragmentation and reassembly Max. no. remaining hops (decremented at each router) Upper layer protocol to which payload is delivered E.g. timestamp, record route taken, specify list of routers to visit

IP Packet Example

UDP Frame Structure
There are only four fields in the UDP header:
Source port
Destination port
Message length
Message checksum
source port # dest port # 32 bits Application data (message) UDP segment format length checksum Length, in bytes of UDP segment, including header Frame checksum

TCP Message Structure source port # dest port # 32 bits application data (variable length) sequence number acknowledgement number rcvr window size ptr urgent data checksum F S R P A U head len not used Options (variable length) URG – Urgent data (generally not used ACK: ACK # valid PSH - Push data now RST – Connection RESET Ack numbers to confirm data arrival # of bytes rcvr is willing to accept SYNC – Start session FIN – End session In case of URG pointer, indicates the data location Options Numbering of sent data Port Numbers

TCP Packet Example

Some Problems that Happened ….
A heavy load (nearly nothing works), from remote offices to the center
Very slow connection to an http server farm behind a load balancer
Slow DB server response
Slow application
Is it a problem?
Wait and see how they were solved

Choose the Interface and Start the Capture

And You Will Get: Packet List Packet Details Packet Bytes

Or – Define Capture Options Buffer size – in order not to fill your laptop disk Capture all packets on the network Capture filter Capture in multiple files When to automatically stop the capture Display options Name resolution options

And if you want to see some details: Example (W-LAN): Received Signal Strength Indication (RSSI) and Link speed (BW)

Example 1 – HTTP session Opened SYN SYN, ACK ACK

But why bother? Wireshark give it to you! Flow Graph: Is giving us a graphical flow, for better understanding of what we see

Here we go

But What Happened Here ??? Retransmissions, Duplicate Ack, Previous segment loss ….. We will see later ...

Capture Filters
Filter examples
ether host 00:08:15:00:08:15
host 192.168.0.1
tcp port http
tcp port 23 and src host 10.0.0.5
Capture  Interfaces  Options:

Example #2– Capture traffic to www.ynet.co.il Capture filter definition: Host www.ynet.co.il

Display Filters

Example #3 – Filter Traffic Between Hosts
Port mirror to be configured from the laptop, to
The Server port or
The PC port
172.16.100.111 172.16.100.12 S D S D S D

Example #3 – Filter Traffic Between Hosts ip.addr == 172.16.100.111 and ip.addr == 172.16.100.12

Example #4 – Filter Traffic Between Hosts
Port mirror to be configured from the laptop, to the router port
To ISP 192.168.101.253

Example #4 – Filter Traffic Between Hosts ip.addr == 192.168.101.253

Statistics – Protocol Hierarchy

Statistics - Conversations With some manipulation

Statistics – Conversations - What can we do with it? On Layer-2 (Ethernet) – To find and isolate broadcast storms And then to go to the switch, and find the troublemaker

Statistics – Conversations - What can we do with it? On Layer-3/4 (TCP/IP) – To connect in parallel to the Internet router port, and check who is loading the line to the ISP And then to go to him/her, and ask questions ……

Statistics – I/O Graph
During an HTTP download, we see the following I/O graph:
Is it a problem, or just the way it works ???

Saving and Manipulating Files Save only displayed packets

Saving and Manipulating Files Save to XLS file

And You Will Get: Additional calculation for finding the DELAY

Filtering a Specific TCP Stream

Colorizing Specific Data We want to watch a specific protocol through out the capture file

Colorizing Specific Data

Colorizing Specific Data (TLS Connection Establishment)

Analyze – Expert Info Composite

What is Retransmission?

Take a pen and paper (colors will help), and try to figure out what happened … 212.143.162.136 192.168.2.100 Frame 555, SEQ 725, ACK 191 Frame 600, SEQ 191, ACK 1349 9.938940 10.137339 Frame 601, SEQ 1643, ACK 1349 10.138715 Frame 602, SEQ 1349, ACK 3095 10.138.757 Frame 603, SEQ 3095, ACK 1349 10.138860 Frame 604, SEQ 1349, ACK 3105 10.138.757 Frame 639, SEQ 191, ACK 1349 10.589888 Retransmission RTO Expires 10.137339-10.589888= 0.4525 Sec Happens when: Lost frame (RTO Expires) Cause: Slow server/PC Errors / Packet loss Sudden increase in delay

What is DupAck (Duplicate Ack)? 212.143.162.136 192.168.2.100 Frame 555, SEQ 725, ACK 191 Frame 600, SEQ 191 , ACK 1349 9.938940 10.137339 Frame 601, SEQ 1643 , ACK 1349 10.138715 Frame 602, SEQ 1349, ACK 3095 10.138.757 Frame 603, SEQ 3095 , ACK 1349 10.138860 Frame 604, SEQ 1349, ACK 3105 10.138.757 Frame 639, SEQ 191 , ACK 1349 10.589888 RTO Expires 10.137339-10.589888= 0.4525 Sec Frame 640, SEQ 2023, ACK 3105 10.589923 Frame 641, SEQ 3095, ACK 1349 10.595574 Frame 642, SEQ 2023, ACK 3105 10.595610 Frame 644, SEQ 3105 , ACK 2023 10.595574 Happens when: Unexpected (not in order) sequence number Cause: Strong delay variations DUPACK DUPACK

Statistics – TCP Stream Graph

Round-Trip Time Graph
RTT Vs. Sequence numbers gives us the time that take to Ack every packet.
In case of variations, it can cause DUPACKs and even Retransmissions
Usually will happen on communications lines:
Over the Internet
Over cellular networks

Time / Sequence Graph (Stevens) (#1)
Time / Sequence representes how sequence numbers advances with time
In a good connection (like in the example), the line will be linear
The angle of the line indicates the speed of the connection. In this example – fast connection
Seq No [B] Time [Sec]

Time / Sequence Graph (Stevens) (#2)
In this case, we see a non-contiguous graph
Can be due to:
Severe packet loss
Server response (processing) time
Seq No [B] Time [Sec]

Example A - Stable Performance File Transfer

Example A - Stable Performance File Transfer A stable throughput of around 1MB/8Mb per second It is important to test in parallel with SNMP tool for channel capacity

Example B – Non-Stable Performance Mail Transfer

Example B – Non-Stable Performance File Transfer Something happened here (After ~5.25 Seconds)

Example B – Non-Stable Performance File Transfer 5.25 seconds after start of stream, we don’t see any connectivity problems – probably slow server/applications

RTP Connectivity Stable stream BW

Case Study #1 – Remote offices become very slow
Test methodology:
With NSMP, measure traffic to center
Result – heavy traffic
With Wireshark, test who generates the traffic
To ISP 192.168.110.0/24

Case Study #1 – Remote offices become very slow WARM !!!

You can see it also in:
Statistics  Conversations  IPv4

Case #2 – Slow HTTP Server Response 192.168.200.227 LB 192.168.3.50 192.168.1.58 192.168.1.46 192.168.1….. 192.168.2.138

Case #2 - Client Side

Case #2 - Server Side

Case #3 – Slow DB Response 10.2.1.105 10.1.1.7 Frame Relay Network (Year 2000)

Case #3 – Slow DB Response Connection Establishment

Case #3 – Slow DB Response And more packets (900+ since beginning of connection) …..

Case #3 – Slow DB Response And more packets (2000+ since beginning of connection) ….. 40mS delay between packets 2000Packets * 40mSec = 80Sec application delay !!!

Case #4 – Another Slow Application

Case #4 – Another Slow Application Analyze – Exert Info Composite gives us: Something here stinks …..

Case #4 – Another Slow Application Strong RTT Variations !!! (a problem with client-server)

Case #4 – Another Slow Application

Case #5 - Do we have a Problem ???

Case #5 – and the Throughput Graph Shows … Ooops ….. But, is it really a problem ???

Case #5 – Expert Info Composite shows …. Ooops ….. Nearly no events over here ……..

Case #5 – This is what the application does …. Interactive open/close read/write application This his what it requires from the network ….

Case #6 – FTP over Cellular Connection

Summary

http://epipro.wordpress.com	26
http://static.slidesharecdn.com	2
http://www.linkedin.com	2

Wireshark Basics

by Yoram Orzach

Accessibility

Upload Details

Usage Rights

3 Embeds 30

Statistics

Wireshark Basics Presentation Transcript