This gives an overall idea about wireshark design and how to capture packets using wireshark, tcpdump and tshark. It also covers basics behind measuring network performance and tools to use such as bmon and iperf.

1. Wiresark, Tcpdump and
Network Performance Tools
Sachidananda Sahu

2. AGENDA
• INTRODUCTION
• WHY AND HOW TO ANALYSE PACKET ?
• FUNDAMENTALS OF ANALYSING NETWORK PACKETS
• PACKET ANALYSIS TOOLS TCPDUMP, TSHARK AND WIRESHARK
• WIRESHARK DESIGN FRAMEWORK
• ANALYZING PROTOCOL USING WIRESHARK
• FILTERS AND STATISTICS IN WIRESHARK
• FUNDAMENTALS OF MEASURING NETWORK PERFORMANCE
• NETWORK PERFORMANCE MEASUREMENT TOOLS BMON, IPERF
• Q & A
• CONCLUSION
• REFERENCES
Radisys Corporation - CONFIDENTIAL

3. Introduction
• In this present era most of the devices are connected with internet.
• They should be AVAILABLE always
• They should be RELIABLE always
• They should PERFORM better always
• Consider a simple home network
• Consider this real time complex network
• Think about a situation if there is problem in one device ?
• So we need some tools
• Which can help us to debug , monitor, analyse the data.
• Which can also measure performance and also can give us statistical info.
Image Source: makeuseof.com
Image Source: afnog meet

4. Why and How to analyse packet ?
 Why to Analyse ?
 Analyze network problems
 Detect intrusion attempts
 Identify network misuse
 Content monitoring
 Bandwidth usage analysis
 Gathering network status
 How to Analyse ?
 Sniff the packets
 Analyze the Protocol/Packets
 Monitor the Packets
 Tools To Analyse ?
 Tcpdump, Tshark, wireshark
 Nagios, Splunk, Total Network Monitor
 And many more …

5. Fundamentals of analyzing network packets
Switch OS BufferNIC Disk
Applicatio
n Buffer
Visualization of a packet in a system
Visualization of data at different layer
Places to analyze packet
Matryoshka doll

6. Packet Analysis Tools
 Common points
 They act as protocol analyzer
 They able to understand the protocols and show us packet by packet.
 They relate packets to give info about sequence of packets.
 They apply filter to analyze packet of interest.
 Tcpdump
 Unix-based command-line tool used to intercept packets.
 Supports most of the protocols tcp,udp, icmp and many more …
 Tshark
 Same unix based command line tool
 Similar to tcpdump in behavior and option
 It also supports extra protocols and new options
 Wireshark
 Graphical version of Tcpdump/Tshark.
 Wireshark has both qt version and gtk version for graphics.

7. Wireshark Design Framework
Wireshark Traffic Handling
Wireshark System Overview

8. For the love of Command Line …
Tcpdump/tshark options
 –D: Shows all interfaces available
 -i <interface>
 tcpdump –i any <protocolname>
 -w <FileToWrite>
 -r <ReadFromFile>
 -Y <protocolname>
 -c <No of packets>
 -V show all information about the packets
 capinfo <capture filename>
 tcpdump –I <interface> host <ipaddress>
 -q –z expert shows details of packet staticstics
 -q –z expert, error
 -q –z expert, hosts
 -q –z io, stat,5

9. For the love of Graphical Interface …
Packet List Panel
Packet Details Panel
Packet Byte Panel
Packet Filter
Let’s
start
Wireshark,
And see the
packet
you are
sending and
receiving in
your system
…

10. Analyzing a TCP Based Application
Field’s under interest
• Source IP
• Source Port
• Destination Ip
• Destination Port
• Data Transmitted
Image Source: superuser.com

11. Wireshark Filters
 Tools generally capture packets of all types(protocol/host/port etc ) in which we may not be interested most of the time 
 Filtering in tools helps us to capture/view packets of our interest.
 Capture Filter
 Capture only interested packets, done during capture phase only
 Used to reduce the size of a raw packet capture
 Capture filter is nothing but what we do during tcpdump/tshark
 tcpdump <protocolname>
 Capture->Capture Filters : Add/Delete or select predefined filters
 host 192.168.10.2
 tcp src port 9000
 tcp port 9000 and not src host 192.168.10.2
 Display Filter
 Capture all, but show only interested packets, applied after capturing all.
 Used to hide some packets from the packet list.
 Display filter can be applied any time in the wireshark GUI
 ip.addr == 192.168.10.2
 tcp.port in { 80,12000, 24 }
 tcp.port == 80 || tcp.port == 12000 || tcp.port == 24

12. Wireshark Statistics
 Wireshark provides a wide range of network statistics.
 Number of captured packets in a session
 Number of specific protocol packet (HTTP requests and responses) captured
 Statistics -> Summary - overall summary of the packet capture
 Statistics -> Protocol Hierarchy - breakdown of the various protocols
 Statistics -> Conversations - list of each individual “conversation” between endpoints
 Statistics -> Endpoints - list of source and destination addresses
 Statistics -> Service Response Time - display the time between a request and it’s
response
 Statistics -> Flow Graph – Showing the flow of traffic

13. Fundamentals of measuring network performance
 It is the analysis and review of collective network statistics, to define the quality of services offered by
the underlying computer network.
 It helps to review, measure and improve the network services.
 Broadly, network performance is measured by reviewing the statistics and metrics of following
parameters.
Speed
Bandwidth
Network Delay,
Latency
Data Loss
Throughput

14. Fundamentals of measuring network performance …

15. Fundamentals of measuring network performance
 Terms for network performance and monitoring
 Speed – Available circuitry data
 Network bandwidth or capacity - Available data transfer
 Network throughput - Amount of data successfully transferred over the network in a given time
 Network delay, latency and jittering - Any network issue causing packet transfer to slow than usual
 Data loss and network errors - Packets dropped or lost in transmission and delivery
 Packet per second - Number of packets of data per second that can be processed before dropping data
 Connection per second - Rate at which a device can establish state parameters for new connections.
 Transaction per second - Number of complete actions of a particular type that can be performed per second.
 Maximum concurrent connection per second - Total number of sessions (connections) about which a device can
maintain state simultaneously.
 Tools for measuring network performance and monitoring
 bmon, iperf, iftop, vnstat , nload etc … and more at http://www.slac.stanford.edu/xorg/nmtf/nmtf-tools.html

16. bmon
 It’s a text based badwidth monitor and rate estimator tool which captures bandwidth related statistics and
display them visually over command prompt.
 Installing
 sudo apt-get install bmon
 Repo : https://github.com/tgraf/bmon
 man bmon
 Options
 -p : specific interface
 -r : read interval from source
 -R : update rate per counter
 Input modules
 Netlink ,Proc ,Netstat
 Output modules
 Curses, Ascii, Format, Null
 Usage
 bmon –p eth0,eth1
 bomn –p eth0 –R 5
 bmon –p eth*,!eth2

17. iperf
 It measures the bandwidth and the quality of a network link. Jperf also does the same with additional graphical interface.
 It creates TCP,UDP,SCTP data streams by tuning various parameters and gives idea about network’s bandwidth, delay, jitter and data loss
values.
 Currently updated version is iperf3
 source code https://github.com/esnet/iperf
 sudo apt-get install iperf3
 Iperf3 options
 -s server
 -c client
 -t test duration timing
 -i periodic interval report
 -f [kmKM] formatting option
 -d, -r bi-directional bandwidths
 -p Specific port number
 -w TCP window size
 -b bandwidth setting
 -u set to udp
 -M maximum segment size
 -P parallel streams

18. Iperf usage
 Usage
iperf3 –s
Iperf3 –c <serverIp>
Iperf3 –c <serverIp> -f K
Iperf3 –c <serverIp> -r
Iperf3 –c <serverIp> -d
Iperf3 –c <serverIp> -t 15
Iperf3 –c <serverIp> -i 2
Iperf3 –c <serverIp> -w 1200
iperf3 -c 10.1.1.1 -P 2
iperf3 –s –p 8001Iperf3 –c <serverIp> -p 8001
Iperf3 –c <serverIp> -u –b 1M
iperf3 –sIperf3 –c <serverIp> -M 1300 -m
iperf3 –s -u

19. Q & A

20. Conclusion
 Tools helps us to debug the network better.
 Tools helps us to understand the problem.
 Tools helps us to know the current performance.
 Tools helps us to know about usage utilization.
 Tools helps us to know about any security issues present in network.
 Tools helps us to experiment the new network technologies.

21. References
 www.wireshark.com
 www.iperf.fr
 https://www.tecmint.com/
 http://www.cisco.com/c/en/us/about/security-center/network-performance-metrics.html
 https://openmaniak.com/
 SharkFest 2014, Andrew Brown
 Man page of tcpdump, wireshark, bmon, iperf
 Cliff Zou’s wireshark lecture
 Rich Macfarlane’s Lab
 Packet analysis using wireshark by Lisa Bock, Pennsylvnia College of Tech.
 Wireshark 101 ppt By Ravi Bhoraskar & book by Laura Chappell
 Some images, texts borrowed/stolen generously from all over the internet
 and some personal experience …

22. Life is easy with wireshark …
Happy Wiresharkking 

23. Thank You