Lesson objective:
By the end of this lesson you will:
Get an approach to network troubleshooting
Understand the wireshark software
understand how to use wireshark for network protocols troubleshooting
4. yoram@ndi-com.comPage 4
Network Troubleshooting Using Wireshark (Brief) January 2018
There are three major types of debugging tools:
1. Standard PC (or operating systems) tools – all the standard applications that you can run
from the standard command line on your PC or on the UNIX machine
2. Access to communication devices – switches, routers, etc
3. Protocol analyzers – applications that analyze packets and protocols that runs on the
network
4. SNMP tools – applications and software's that monitors MIB (Management Information
Base) continuously, and therefore can be used also for network troubleshooting
5. Special tools – Netflow, Solarwinds and other tools for engineering and special case
monitoring
5. yoram@ndi-com.comPage 5
Network Troubleshooting Using Wireshark (Brief) January 2018
CLI tools, like ping, tracert (or traceroute – depends on the OS), will give you an
initial “feeling” of the network. You can get delay, jitter and packet loss, with simple
ping, and reachability tests with trace.
6. yoram@ndi-com.comPage 6
Network Troubleshooting Using Wireshark (Brief) January 2018
Telnet or web connectivity to communication devices will give you much more
data. You will be able to get the number of input and output packets on an interface,
number of errors, CPU utilization, packet size distribution and much more
8. yoram@ndi-com.comPage 8
Network Troubleshooting Using Wireshark (Brief) January 2018
SNMP tools, like SNMPc, MRTG, Whatsup Gold, HPOV-NNM and others, are
installed on a dedicated platfor, that continuously monitors the network, gives us a
networks map, event browser and other features, depends on the software. For
troubleshooting purposes, we will use the monitoring features, that will gove us
continues monitoring of network parameters.
9. yoram@ndi-com.comPage 9
Network Troubleshooting Using Wireshark (Brief) January 2018
There are special tools like Netflow, Loggers etc. For example, in Netflow, we can
get accurate statistics, of who is using the network (by IP address), what is he doing
(by port numbers – http, mail etc.) and more. There are many tools for these
purposes.
10. yoram@ndi-com.comPage 10
Network Troubleshooting Using Wireshark (Brief) January 2018
IF you need more then this, for example simulating network conditions, you can use
software tools (for example Shunra), od hardware devices that will simulate error
patterns, load, application loads and more.
12. yoram@ndi-com.comPage 12
Network Troubleshooting Using Wireshark (Brief) January 2018
In late 1997 Gerald Combs needed a tool for tracking down network problems and
wanted to learn more about networking so he started writing Ethereal (the original
name of the Wireshark project) as a way to solve both problems.
Ethereal was initially released after several pauses in development in July 1998 as
version 0.2.0. Within days patches, bug reports, and words of encouragement started
arriving and Ethereal was on its way to success.
Not long after that Gilbert Ramirez saw its potential and contributed a low-level
dissector to it. In October, 1998 Guy Harris was looking for something better than
tcpview so he started applying patches and contributing dissectors to Ethereal. In late
1998 Richard Sharpe, who was giving TCP/IP courses, saw its potential on such
courses and started looking at it to see if it supported the protocols he needed. While it
didn’t at that point new protocols could be easily added. So he started contributing
dissectors and contributing patches. The list of people who have contributed to the
project has become very long since then, and almost all of them started with a protocol
that they needed that Wireshark or did not already handle. So they copied an existing
dissector and contributed the code back to the team.
13. yoram@ndi-com.comPage ›#‹
Network Troubleshooting Using Wireshark (Brief) January 2018
In 2006 the project moved house and re-emerged under a new name: Wireshark.
In 2008, after ten years of development, Wireshark finally arrived at version 1.0. This release
was the first complete, with the minimum features implemented.
Acquired by Riverbed in 2010 with commitment to live as open-source
In 2015 Wireshark 2.0 was released, which featured a new user interface.
14. yoram@ndi-com.comPage 13
Network Troubleshooting Using Wireshark (Brief) January 2018
With Wireshark we can:
• Capture packets
• Watch smart statistics and graphs and analyze them
• Define capture and display filters
• Using all of the above – Analyze problems
What Wireshark cannot do for you:
• It is not an automatic tool, and certainly not a “magic” tool. You don’t just
connect it to the network and it tell you the problems.
• It is not suitable for long term monitoring.
• It is not suitable for heavy traffic monitoring.
17. yoram@ndi-com.comPage 16
Network Troubleshooting Using Wireshark (Brief) January 2018
The File menu contains items to open and merge capture files, save, print, or export
capture files in whole or in part, and to quit the Wireshark application.
You can for example configure a display filter on the data that interest you, and then
from here, using Export Specified Packets, export only this data to a file.
18. yoram@ndi-com.comPage 17
Network Troubleshooting Using Wireshark (Brief) January 2018
The Edit menu contains items to find a packet, time reference or mark one or more
packets, handle configuration profiles, and set your preferences.
You can for example use Find Packet when you look for a string in a text, for
example a website, a URL, DNS name or any other string in the captured file.
19. yoram@ndi-com.comPage 18
Network Troubleshooting Using Wireshark (Brief) January 2018
The View Menu controls the display of the captured data, including colorization of
packets, zooming the font, showing a packet in a separate window, expanding and
collapsing trees in packet details
Here for example we can set the Time Display Format, Name Resolution in Layers
2, 3 and 4 and other features to customize the display.
20. yoram@ndi-com.comPage 19
Network Troubleshooting Using Wireshark (Brief) January 2018
The Go menu contains items to go to a specific packet – including to a packet
number, next or previous packet, first or last packet and so on.
Like all menus, items here have keyboard shortcuts to make life easier, use them.
21. yoram@ndi-com.comPage 20
Network Troubleshooting Using Wireshark (Brief) January 2018
The Capture menu allows you to start and stop captures and to edit capture filters.
This will be explained later in this lesson.
22. yoram@ndi-com.comPage 21
Network Troubleshooting Using Wireshark (Brief) January 2018
The Analyze menu is one of the menus you will use a lot during network
troubleshooting. It contains items to manipulate display filters, enable or disable the
dissection of protocols, configure user specified decodes and follow a TCP stream.
We will discuss some of these features in details later in the course.
23. yoram@ndi-com.comPage 22
Network Troubleshooting Using Wireshark (Brief) January 2018
One of the important menus is the Statistics menu. This menu contains items to
display various statistic windows, including a summary of the packets that have
been captured, display protocol hierarchy statistics and much more.
Later in this course we will deep dive into some of its features, mostly in to IO and
Stream Graphs that are two of the most important Wireshark features
24. yoram@ndi-com.comPage 23
Network Troubleshooting Using Wireshark (Brief) January 2018
The telephony menu supports various telephony protocols. Here you find for
example Real Time Protocol, RTP, that is used for carrying multimedia information,
Session Initiation Protocol, SIP, that is used for signaling and other protocols.
27. yoram@ndi-com.comPage 26
Network Troubleshooting Using Wireshark (Brief) January 2018
The Help menu contains items to help the user with access to some basic help,
manual pages of the various command line tools, online access to some of the
webpages, and the usual about dialog.
29. yoram@ndi-com.comPage 28
Network Troubleshooting Using Wireshark (Brief) January 2018
The colorized bullet on the left shows the highest expert info level found in the
currently loaded capture file. Moving the mouse over this icon will show a textual
description of the expert info level, and clicking the icon will bring up the Expert
Infos dialog box. Here we see that the highest message level is the Warn level.
To the right of the colorized bullet we see information about the capture file, its
name, its size and the elapsed time while it was being captured. Hovering over a file
name will show its full path and size.
Next to the right we see the current number of packets in the capture file. The
following values are displayed:
• Packets: The number of captured packets.
• Displayed: The number of packets currently being displayed.
• Marked: The number of marked packets. These are only displayed if packets are
marked.
• Dropped: The number of dropped packets. These are displayed only Wireshark
was unable to capture all packets, for example under heavy traffic.
30. yoram@ndi-com.comPage ›#‹
Network Troubleshooting Using Wireshark (Brief) January 2018
• Ignored: The number of ignored packets. These are only displayed if packets are ignored.
• Load time: The time it took to load the capture.
On the right side we see the selected configuration profile. Clicking in this part of the status-
bar will bring up a menu with all available configuration profiles, and selecting from this list
will change the configuration profile.
31. yoram@ndi-com.comPage 29
Network Troubleshooting Using Wireshark (Brief) January 2018
In Cisco – SPAN - Switched Port Analyzer:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186
a008015c612.shtml
In Juniper – Port Mirror:
http://www.juniper.net/techpubs/en_US/junos9.2/topics/concept/port-mirroring-ex-
series-overview.html
32. yoram@ndi-com.comPage 30
Network Troubleshooting Using Wireshark (Brief) January 2018
Instead of connecting a switch on the link you wish to monitor, you can connect a
device called Test Access Point (TAP), which is a simple three-port device that in
this case will play the same role of the switch. The advantage of a tap over a switch
is the simplicity and price. Taps also forward errors that can be monitored on
Wireshark, unlike a LAN switch that drops them.
34. yoram@ndi-com.comPage 32
Network Troubleshooting Using Wireshark (Brief) January 2018
Wireshark uses the libpcap filter language for capture filters. Libpcap is a portable
C/C++ library for network traffic capture.
You can find additional information on the Libpcap web site -
http://www.tcpdump.org/, and Capture Filter examples at:
http://wiki.wireshark.org/CaptureFilters.
35. yoram@ndi-com.comPage 33
Network Troubleshooting Using Wireshark (Brief) January 2018
Here we see that in order to configure a capture filter we go through the following
steps:
• Click on the capture filter symbol, fourth to the left on the symbol toolbar
• Choose the interface on which we want to configure the filter on and
• Configure the filter on the bar down the capture filter window
Some examples for capture filters:
• ether host 00:08:15:00:08:15 for capturing packets only from and to a
specific MAC address
• host 192.168.0.1 for capturing packets only from and to a specific IP
address
• tcp port http for capturing packets only from and to a specific TCP port
36. yoram@ndi-com.comPage 34
Network Troubleshooting Using Wireshark (Brief) January 2018
We can configure different filters on different interfaces. Here for example we see a
MAC adderss filter on the Wireless LAN interface and a TCP port filter on the
Gigabit Ethernet interface.
37. yoram@ndi-com.comPage 35
Network Troubleshooting Using Wireshark (Brief) January 2018
A capture filter takes the form of a series of primitive expressions connected by
and/or and optionally preceded by not:
[not] primitive [and|or [not] primitive ...]
When:
• Primitive is the basic condition
• Logical and/or can be used
• Not can be used to negate the condition
Primitives are:
[src|dst] host <host>
This primitive allows you to filter on a host IP address or name. You can optionally precede the primitive with the
keyword src|dst to specify that you are only interested in source or destination addresses. If these are not present,
packets where the specified address appears as either the source or the destination address will be selected.
ether [src|dst] host <ehost>
This primitive allows you to filter on Ethernet host addresses. You can optionally include the keyword src|dst
between the keywords ether and host to specify that you are only interested in source or destination addresses. If
these are not present, packets where the specified address appears in either the source or destination address will be
38. yoram@ndi-com.comPage ›#‹
Network Troubleshooting Using Wireshark (Brief) January 2018
selected.
gateway host <host>
This primitive allows you to filter on packets that used host as a gateway. That is, where the Ethernet source or destination was
host but neither the source nor destination IP address was host.
[src|dst] net <net> [{mask <mask>}|{len <len>}]
This primitive allows you to filter on network numbers. You can optionally precede this primitive with the keyword src|dst to
specify that you are only interested in a source or destination network. If neither of these are present, packets will be selected that
have the specified network in either the source or destination address. In addition, you can specify either the netmask or the CIDR
prefix for the network if they are different from your own.
[tcp|udp] [src|dst] port <port>
This primitive allows you to filter on TCP and UDP port numbers. You can optionally precede this primitive with the keywords
src|dst and tcp|udp which allow you to specify that you are only interested in source or destination ports and TCP or UDP
packets respectively. The keywords tcp|udp must appear before src|dst.
If these are not specified, packets will be selected for both the TCP and UDP protocols and when the specified address appears in
either the source or destination port field.
less|greater <length>
This primitive allows you to filter on packets whose length was less than or equal to the specified length, or greater than or equal
to the specified length, respectively.
ip|ether proto <protocol>
This primitive allows you to filter on the specified protocol at either the Ethernet layer or the IP layer.
ether|ip broadcast|multicast
This primitive allows you to filter on either Ethernet or IP broadcasts or multicasts.
<expr> relop <expr>
This primitive allows you to create complex filter expressions that select bytes or ranges of bytes in packets. Please see the
tcpdump man page at http://www.tcpdump.org/tcpdump_man.html for more details.
39. yoram@ndi-com.comPage 36
Network Troubleshooting Using Wireshark (Brief) January 2018
Examples:
host 10.10.10.10
Capture all packets to and from 10.10.10.10
src host 10.10.10.10
Capture all packets where 10.10.10.10 is the source
dst host 10.10.10.10
Capture all packets where 10.10.10.10 is the destination
40. yoram@ndi-com.comPage 37
Network Troubleshooting Using Wireshark (Brief) January 2018
For port numbers, we can configure:
• The filter port with a port number, for example port 80 to all packets to and from
port 80, that is http.
• The filter src port with a port number, for example src port 80 to all packets
from port 80, that is http.
• The filter dst port with a port number, for example dst port 80 to all packets to
port 80, that is http.
41. yoram@ndi-com.comPage 38
Network Troubleshooting Using Wireshark (Brief) January 2018
For network addresses we can configure the following filters:
• The filter net with the network address, presented in a network address and
number of bits of the mask, for example net 192.168.1.0/24 for the class-C
address 192.168.1.0
• For source network we configure the filter src net and the source network
address in the same format, for example src net 192.168.1.0/24
• For destination network we configure the filter dst net and the destination
network address in the same format, for example dst net 192.168.1.0/24
42. yoram@ndi-com.comPage 39
Network Troubleshooting Using Wireshark (Brief) January 2018
More examples:
tcp dst port 3128
Displays packets with destination TCP port 3128.
ip src host 10.1.1.1
Displays packets with source IP address equals to 10.1.1.1.
host 10.1.2.3
Displays packets with source or destination IP address equals to 10.1.1.1.
src portrange 2000-2500
Displays packets with source UDP or TCP ports in the 2000-2500 range.
not imcp
Displays everything except icmp packets. (icmp is typically used by the ping tool)
src host 10.7.2.12 and not dst net 10.200.0.0/16
Displays packets with source IP address equals to 10.7.2.12 and in the same time not with the
destination IP network 10.200.0.0/16.
(src host 10.4.1.12 or src net 10.6.0.0/16) and tcp dst portrange 200-10000 and dst net 10.0.0.0/8
Displays packets with source IP address 10.4.1.12 or source network 10.6.0.0/16, the result is then
concatenated with packets having destination TCP portrange from 200 to 10000 and destination IP
network 10.0.0.0/8.
43. yoram@ndi-com.comPage 40
Network Troubleshooting Using Wireshark (Brief) January 2018
Compound filters can be used for example for:
• Specific traffic that we are interesting in to a specific port on a specific server or
servers
• Specific traffic from/to specific network(s)
And many other possibilities.
44. yoram@ndi-com.comPage 41
Network Troubleshooting Using Wireshark (Brief) January 2018
Capture only Ethernet type EAPOL:
• ether proto 0x888e
Capture only IP traffic - the shortest filter, but sometimes very useful to get rid of
lower layer protocols like ARP and STP:
• ip
Capture only unicast traffic - useful to get rid of noise on the network if you only
want to see traffic to and from your machine, not, for example, broadcast and
multicast announcements:
• not broadcast and not multicast
45. yoram@ndi-com.comPage 42
Network Troubleshooting Using Wireshark (Brief) January 2018
The first way to configure display filters is to click the “Expression…” button to the
right of the display filter tab. You click on it and the display filter expression
window opens.
The first way to configure display filters is to click the “Expression…” button to the
right of the display filter tab. You click on it and the display filter expression
window opens.
In this window you have the following parts:
• The field name, in which you choose the filter. You can scroll down to the
protocol and then double-click on it and all the filters under this protocol will be
opened.
• In the search tab bellow the field name you can search for a filter string. For
example, if you search for “retransmission” TCP is open, presenting you all
possible “retransmission” filters.
• In the “Relation” part of this window you choose if the display filter should be
present, equal or not-equal, greater or smaller then, greater and equal, smaller or
46. yoram@ndi-com.comPage ›#‹
Network Troubleshooting Using Wireshark (Brief) January 2018
equal to. Contains or matches a specific value that you write in the value field.
• In some cases, for example with TCP Flags, you can choose if a flag is present or not, and
then the “preferred values” window will light on and you will be able to choose a value, in
the case of TCP flags it will “Set” or “Not Set”
You can choose here many values, many of them added in version two of the software.
47. yoram@ndi-com.comPage 43
Network Troubleshooting Using Wireshark (Brief) January 2018
Another way to use the display filter is simply to write the filter string in the filter
tab. Auto-complete is enabled here, so after getting use to the display filters syntax,
this is quite a good way to use them.
To use the filter expression:
1. Write the expression you want to use
2. Apply the filter string. You can also use <Enter>
3. From the scroll-down arrow you can choose previously-defined filters
4. To edit filter expression use the button to the left of the display filter tab. It will
take you to the preferences windows. You will see this in the next slide.
48. yoram@ndi-com.comPage 44
Network Troubleshooting Using Wireshark (Brief) January 2018
The last and easiest way is to go to the packet details pane, right-click on the field
you want to filter and choose:
1. Apply as filter or
2. Prepare a filter
In each one of them you can choose “the selected filter”, “Not the selected filter”,
the “selected filter and” the “selected filter or” and so on.
The only thing you have to do is to choose which field in the packet of the protocol
you want to monitor and choose it.
56. yoram@ndi-com.comPage 52
Network Troubleshooting Using Wireshark (Brief) January 2018
The conversations window presents statistics about:
• Ethernet addresses
• IPv4 and IPv6 addresses
• TCP and UDP port numbers
• Additional session parameters that can be added in conversation types, down-
right the window.
In example 6.1 we see:
• When we choose the IPv4 tab and click on the tab to sort by the number of
packets, we see nearly five thousands packets between 172.20.0.10 to
172.30.0.22
Down to the left of the window you can mark the checkboxes:
• Name resolution: for translating MAC addresses, IP addresses and TCP/UDP port
numbers. Name resolution have to be configured in the main window (from the
view window)
58. yoram@ndi-com.comPage 53
Network Troubleshooting Using Wireshark (Brief) January 2018
To check what is exactly running between the two hosts and click on the TCP tab,
and we see that two TCP connections are opened:
• From port 57604 to 445, that is SMB
• From port 58479 also to 445, again SMB connection
To look for other session that are not TCP we simply click on the UDP tab and we
see in this case nearly 800 packets from 0.0.0.0 to 172.30.0.0
To see what they are we right click on this line, choose apply a filter, and we see that
these are Checkpoint High Availability packets that are sent between Checkpoint
firewalls.
59. yoram@ndi-com.comPage 54
Network Troubleshooting Using Wireshark (Brief) January 2018
In this second example, we see more that 137,000 packets in 61 seconds. All SMB
packets sent to 172.30.0.10
We’ll get back to this example in the SMB and NetBIOS chapters.
63. yoram@ndi-com.comPage 58
Network Troubleshooting Using Wireshark (Brief) January 2018
A network endpoint is the logical endpoint of separate protocol traffic of a specific protocol layer.
The endpoint statistics of Wireshark will take the following endpoints into account:
Ethernet: an Ethernet endpoint is identical to the Ethernet's MAC address.
IPv4: an IPv4 endpoint is identical to its IP address.
IPv6: an IPv6 endpoint is identical to its IP address.
TCP: a TCP endpoint is a combination of the IP address and the TCP port used, so different TCP
ports on the same IP address are different TCP endpoints.
UDP: a UDP endpoint is a combination of the IP address and the UDP port used, so different UDP
ports on the same IP address are different UDP endpoints.
Like in the conversation window you can configure here to resolve addresses or to limit the
information on the window to the pre-configured display filter.
64. yoram@ndi-com.comPage 59
Network Troubleshooting Using Wireshark (Brief) January 2018
In this example, you see the end-points example when:
• On the Ethernet tab, majority of the packets goes to two Juniper devices. These
can be routers, layer 3 switches or Firewalls.
• On the IP tab, we see that majority of the traffic goes to 172.16.20.20, that is the
network router, and a lot of traffic also comes from 10.100.1.63, which is a
simple client at one of the network sites.
Don’t forget that the information you see is limited to the capture time, so if like
here you see a load from a specific client, it can be because of that the client had
coincidently perform some operation during the capture period.
66. yoram@ndi-com.comPage 61
Network Troubleshooting Using Wireshark (Brief) January 2018
The IO Graph is one of the important features of Wireshark. Using the IO graphs,
with filters when required, shows a clear picture of network traffic and possible
problems.
You can add graphs or delete them clicking on the (+) or (-) tabs.
You can also change mouse options:
• Drag is used for changing graph position
• Zooms is used to zoom in or out of the graph
You can also change:
• The time interval, increase or decrease it
• Change the Y-Axis scale from linear to logarithmic
67. yoram@ndi-com.comPage 62
Network Troubleshooting Using Wireshark (Brief) January 2018
When looking at the graphs, at the lower window we can see:
• Name: name given to the filter
• Filter: a display filter for this graph (only the packets that pass this filter will be
taken into account for this graph)
• Color: the color of the graph (cannot be changed)
• Style: the style of the graph: Line, Impulse, FBar, Dot, Stacked bar, Dots,
Squares, Diamonds
• Y field: what will be configured on the Y-Axis
• Smoothing: Smoothing the Y-Axis graph
Important thing is that in the Y Axis can be configured to bits/s, Bytes/s, Packets/s
and other parameters that are not time-related. We’ll talk about it later in this lesson.
68. yoram@ndi-com.comPage 63
Network Troubleshooting Using Wireshark (Brief) January 2018
To see the traffic graph of a specific stream:
• To view all data streams ,use the Conversations tool, from the statistics menu. In
the conversations window, we choose the stream with the highest amount of
packets to see how it loads the line we monitor
• Open the IO graph window, and copy the display filter string to a new graph.
What you see is the amount of traffic of the specific stream.
In our example, we see that the specific stream that we filtered has 60-70
packets/second, while the peaks comes from other traffic.
70. yoram@ndi-com.comPage 65
Network Troubleshooting Using Wireshark (Brief) January 2018
Here we see that the red line of the filtered graph and the black line of all the traffic
overlaps, so we found the session that generated the peaks.
In the protocols lessons later in the next course we will see how to find what exactly
generated these peaks.
71. yoram@ndi-com.comPage 66
Network Troubleshooting Using Wireshark (Brief) January 2018
Here we se that if we want to see the traffic pattern of the two heaviest flows in this
capture file:
• We use the statistics – conversations window to figure out what are these flows
are
• That we add two additional graphs, with a filters that will show us these graphs
• With zooming on the streams we can see how exactly each one of these streams
behave
80. yoram@ndi-com.comPage 75
Network Troubleshooting Using Wireshark (Brief) January 2018
There are four types of TCP graphs:
•Round Trip Time – shows the round trip time for ACKs over time
•Throughput - measures through put using TCP sequence numbers
•Time-Sequence (Stevens) - a graph of TCP sequence numbers versus time. This
helps us see if traffic is moving along without interruption, packet loss or long
delays
•Time-Sequence (tcptrace) - a graph of TCP sequence numbers versus time. It also
keeps track of the ACK values received from the other endpoint and tracks the
receive window advertised from the other endpoint.
84. yoram@ndi-com.comPage 79
Network Troubleshooting Using Wireshark (Brief) January 2018
A few quick items to note:
•You can use the ‘i’ key to zoom in at the current mouse position
•You can use the ‘o’ key to zoom out from the current mouse position
•You can right click hold and drag around the graph
•You can left click hold and drag a rectangle to zoom in on a region
•You can single left click on a segment or ACK to go to that packet in the pcap (very
useful)
88. yoram@ndi-com.comPage 83
Network Troubleshooting Using Wireshark (Brief) January 2018
Rcv Win - indicates the window size of the receiver.
Bytes Out – indicates the number of bytes in sent out of the sender
A stable receiver window indicate a good receiver behavior. A non-stable behavior,
for example a chain-saw, indicates instability or weakness.
90. yoram@ndi-com.comPage 85
Network Troubleshooting Using Wireshark (Brief) January 2018
If we’ll go back to the OSI-RM definitions, layers 1 and 2 are the LAN and WAN protocols. TCP
works on any of them.
In layer 3, the protocols that provides end to end connectivity is the IP – Internet Protocol. In
parallel to the IP, there are other special purpose protocols, like ICMP (Ping command)
ARP (Address Resolution Protocol) and RARP (Reverse ARP) are used for address resolution
between layer-2 LAN and layer-3 IP protocols
In layer 4 we have two protocols for application connectivity – TCP (Transport Control Protocol)
which is a connection-oriented, reliable protocol, and UDP (User Datagram Protocol), which is an
unreliable, connection-less protocol.
In layers 5 to 7, the “upper layers”, we have two types of protocols:
•Those who requires reliability, like FTP, HTTP and others – they work on the top of reliable TCP
infrastructure. Of course, working over TCP slows the operation
•Those who does not requires reliability, or does require speed – they work on the top of the
faster, unreliable UDP.
97. yoram@ndi-com.comPage 92
Network Troubleshooting Using Wireshark (Brief) January 2018
Something happens here every 2.5 seconds that causes transmission to hold for this
period of time. Lets find out what it might be.
115. yoram@ndi-com.comPage 110
Network Troubleshooting Using Wireshark (Brief) January 2018
TCP DupACK - Occurs when the same ACK number is seen AND it is lower than
the last byte of data sent by the sender.
If the receiver detects a gap in the sequence numbers, it will generate a duplicate
ACK for each subsequent packet it receives on that connection, until the missing
packet is successfully received (retransmitted).
DupACK is a clear indication of dropped/missing packets.
117. yoram@ndi-com.comPage 112
Network Troubleshooting Using Wireshark (Brief) January 2018
TCP ZeroWindow - Occurs when a receiver advertises a receive window size of zero. This effectively tells the
sender to stop sending because the receiver's buffer is full. Indicates a resource issue on the receiver, as the
application is not retrieving data from the TCP buffer in a timely manner.
TCP ZerowindowProbe - The sender is testing to see if the receiver's zero window condition still exists by
sending the next byte of data to elicit an ACK from the receiver. If the window is still zero, the sender will
double his timer before probing again.
TCP ZeroWindowViolation - The sender has ignored the zero window condition of the receiver and sent
additional bytes of data.
TCP WindowUpdate - This indicates that the segment was a pure WindowUpdate segment. A WindowUpdate
occurs when the application on the receiving side has consumed already received data from the RX buffer
causing the TCP layer to send a WindowUpdate to the other side to indicate that there is now more space
available in the buffer. Typically seen after a TCP ZeroWindow condition has occurred. Once the application on
the receiver retrieves data from the TCP buffer, thereby freeing up space, the receiver should notify the sender
that the TCP ZeroWindow condition no longer exists by sending a TCP WindowUpdate that advertises the
current window size.
TCP WindowFull - This flag is set on segments where the payload data in the segment will completely fill the
RX buffer on the host on the other side of the TCP session. The sender, knowing that it has sent enough data to
fill the last known RX window size, must now stop sending until at least some of the data is acknowledged (or
until the acknowledgement timer for the oldest unacknowledged packet expires). This causes delays in the flow
of data between sender and receiver and lowers throughput. When this event occurs, a ZeroWindow condition
might occur on the other host and we might see TCP ZeroWindow segments coming back. Do note that this can
occur even if no ZeroWindow condition is ever triggered. For example, if the TCP WindowSize is too small to
accomodate a high end-to-end latency this will be indicated by TCP WindowFull and in that case there will not
be any TCP ZeroWindow indications at all. --- This should be broken out to its own page with a more detailed
explanation.
118. yoram@ndi-com.comPage 113
Network Troubleshooting Using Wireshark (Brief) January 2018
In this example, 10.0.52.164 is decreasing the window size --- meaning that it
cannot process data received by him on this connection. Eventually, Zero window
will appear, and keepalive messages will start in order to maintain this application.