Summary Notes for Wireshark Jumpstart

Wireshark Jumpstart : Master Key Tasks for Network Troubleshooting
by Laura Chappell, 10:00am 05/26/2009

Live Seminar Traning: chappellseminars.com
On-Demand Training: chappellU.com
www.cacetech.com / SharkfestGerald Comb

Network analysis is a FIRST RESPONDER task
Where the problem is

o Key Tasks
- Place the analyzer appropriately
- Focus on "the whiner" - Go to customer (complaining)
- Get out your baselinesFilter on specific conversations or types of traffic
- Look for "hot" problems - fast transmission
- Create key graphs - I/O, TCP, Latency, Time sequence graph,

o Hanging off a Switch
multicast, broadcast, unknown
- Install Analyzer on Host / Fred
- Hubbing Out (Half-Duplex) : adding Hub between Switch and Fred
- Tap In (Full-Duplex) : FDX Tap / NetOptics, - Aggregating Full-Duplex Tap
- Port Spanning

o What about Wireless
- AirPcap (USB H/W)
- WI Spy

o Busy Networks
- Suck it up...disable unnecessary functions (live display, name resolution, etc.)
- Use capture filters
- Try saving to file sets (she loves this)
- Analyzer naked with tshark (CLI)
- TurboCap (www.cacetech.com) : H/W solution

o tshark
tshark -h
tshark -D (interface list)
tshark -i
tshark -f
tshark -c
tshark -w

tshark -i 3 -f arp -c 100 -w test.pcap

o Task Offload

o Capture Options
Next file every 10 megabytes
Ring buffer with 2 files
Ethernet address 00:08:15:00 (Not Me Mac)
not ether host 00:34:a4:03:34:09

Time -> Time Display Format :
Control + arrow key

Expert Info Composite
TCP Dup ACK: Internet link is slow, packet loss
Zero window : serious problem / TCP Zero Window
Window update
Window is full
Statistics -> TCP Stream Graph / Round trip time graph
Stat -> Summary
Avg. MBit/sec : 2.430 (good), Time Sequence Graph (tcptrace)?: flat graph (zero window)

99% packet loss -> go to infra (switch, firewall, etc.)

chappellU.com / On-Demand Traning, 20% discount code: 23T1S (expires June 30, 2009)
chappellseminars.com / Live Training, 50% discount code: tfct10 (expires in 2 hours)
May 28, 2009 10am PDT, "Top 10 Reasons Your Network is Slow"

o Your "To Do" list
1. C'mon...upgrade to Wireshark (with 1.0.8 - stable release)
2. Test analyzer placement
3. Baseline your network traffic
4. Learn to filter (capture AND display)
5. Don't ignore the Expert Info6. Learn TCP/IP at packet level

o DOS prompt
path
cd documentscd "trace files"
editcap -h-c split the packet output to different files
Can split large file to smaller files

mergecap -h

laurachappell.blogspot.com