SlideShare a Scribd company logo
1 of 136
Download to read offline
yoram@ndi-com.comPage 1
Network Troubleshooting Using Wireshark (Brief) January 2018
© All Rights Reserved to Yoram Orzach ©
yoram@ndi-com.comPage 2
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 3
Network Troubleshooting Using Wireshark (Brief) January 2018
In this section we talk about the principles of network troubleshooting.
yoram@ndi-com.comPage 4
Network Troubleshooting Using Wireshark (Brief) January 2018
There are three major types of debugging tools:
1. Standard PC (or operating systems) tools – all the standard applications that you can run
from the standard command line on your PC or on the UNIX machine
2. Access to communication devices – switches, routers, etc
3. Protocol analyzers – applications that analyze packets and protocols that runs on the
network
4. SNMP tools – applications and software's that monitors MIB (Management Information
Base) continuously, and therefore can be used also for network troubleshooting
5. Special tools – Netflow, Solarwinds and other tools for engineering and special case
monitoring
yoram@ndi-com.comPage 5
Network Troubleshooting Using Wireshark (Brief) January 2018
CLI tools, like ping, tracert (or traceroute – depends on the OS), will give you an
initial “feeling” of the network. You can get delay, jitter and packet loss, with simple
ping, and reachability tests with trace.
yoram@ndi-com.comPage 6
Network Troubleshooting Using Wireshark (Brief) January 2018
Telnet or web connectivity to communication devices will give you much more
data. You will be able to get the number of input and output packets on an interface,
number of errors, CPU utilization, packet size distribution and much more
yoram@ndi-com.comPage 7
Network Troubleshooting Using Wireshark (Brief) January 2018
Wireshark – well, this is the purpose of our seminar, so you will see …….
yoram@ndi-com.comPage 8
Network Troubleshooting Using Wireshark (Brief) January 2018
SNMP tools, like SNMPc, MRTG, Whatsup Gold, HPOV-NNM and others, are
installed on a dedicated platfor, that continuously monitors the network, gives us a
networks map, event browser and other features, depends on the software. For
troubleshooting purposes, we will use the monitoring features, that will gove us
continues monitoring of network parameters.
yoram@ndi-com.comPage 9
Network Troubleshooting Using Wireshark (Brief) January 2018
There are special tools like Netflow, Loggers etc. For example, in Netflow, we can
get accurate statistics, of who is using the network (by IP address), what is he doing
(by port numbers – http, mail etc.) and more. There are many tools for these
purposes.
yoram@ndi-com.comPage 10
Network Troubleshooting Using Wireshark (Brief) January 2018
IF you need more then this, for example simulating network conditions, you can use
software tools (for example Shunra), od hardware devices that will simulate error
patterns, load, application loads and more.
yoram@ndi-com.comPage 11
Network Troubleshooting Using Wireshark (Brief) January 2018
In this section we talk about the principles of network troubleshooting.
yoram@ndi-com.comPage 12
Network Troubleshooting Using Wireshark (Brief) January 2018
In late 1997 Gerald Combs needed a tool for tracking down network problems and
wanted to learn more about networking so he started writing Ethereal (the original
name of the Wireshark project) as a way to solve both problems.
Ethereal was initially released after several pauses in development in July 1998 as
version 0.2.0. Within days patches, bug reports, and words of encouragement started
arriving and Ethereal was on its way to success.
Not long after that Gilbert Ramirez saw its potential and contributed a low-level
dissector to it. In October, 1998 Guy Harris was looking for something better than
tcpview so he started applying patches and contributing dissectors to Ethereal. In late
1998 Richard Sharpe, who was giving TCP/IP courses, saw its potential on such
courses and started looking at it to see if it supported the protocols he needed. While it
didn’t at that point new protocols could be easily added. So he started contributing
dissectors and contributing patches. The list of people who have contributed to the
project has become very long since then, and almost all of them started with a protocol
that they needed that Wireshark or did not already handle. So they copied an existing
dissector and contributed the code back to the team.
yoram@ndi-com.comPage ›#‹
Network Troubleshooting Using Wireshark (Brief) January 2018
In 2006 the project moved house and re-emerged under a new name: Wireshark.
In 2008, after ten years of development, Wireshark finally arrived at version 1.0. This release
was the first complete, with the minimum features implemented.
Acquired by Riverbed in 2010 with commitment to live as open-source
In 2015 Wireshark 2.0 was released, which featured a new user interface.
yoram@ndi-com.comPage 13
Network Troubleshooting Using Wireshark (Brief) January 2018
With Wireshark we can:
• Capture packets
• Watch smart statistics and graphs and analyze them
• Define capture and display filters
• Using all of the above – Analyze problems
What Wireshark cannot do for you:
• It is not an automatic tool, and certainly not a “magic” tool. You don’t just
connect it to the network and it tell you the problems.
• It is not suitable for long term monitoring.
• It is not suitable for heavy traffic monitoring.
yoram@ndi-com.comPage 14
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 15
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 16
Network Troubleshooting Using Wireshark (Brief) January 2018
The File menu contains items to open and merge capture files, save, print, or export
capture files in whole or in part, and to quit the Wireshark application.
You can for example configure a display filter on the data that interest you, and then
from here, using Export Specified Packets, export only this data to a file.
yoram@ndi-com.comPage 17
Network Troubleshooting Using Wireshark (Brief) January 2018
The Edit menu contains items to find a packet, time reference or mark one or more
packets, handle configuration profiles, and set your preferences.
You can for example use Find Packet when you look for a string in a text, for
example a website, a URL, DNS name or any other string in the captured file.
yoram@ndi-com.comPage 18
Network Troubleshooting Using Wireshark (Brief) January 2018
The View Menu controls the display of the captured data, including colorization of
packets, zooming the font, showing a packet in a separate window, expanding and
collapsing trees in packet details
Here for example we can set the Time Display Format, Name Resolution in Layers
2, 3 and 4 and other features to customize the display.
yoram@ndi-com.comPage 19
Network Troubleshooting Using Wireshark (Brief) January 2018
The Go menu contains items to go to a specific packet – including to a packet
number, next or previous packet, first or last packet and so on.
Like all menus, items here have keyboard shortcuts to make life easier, use them.
yoram@ndi-com.comPage 20
Network Troubleshooting Using Wireshark (Brief) January 2018
The Capture menu allows you to start and stop captures and to edit capture filters.
This will be explained later in this lesson.
yoram@ndi-com.comPage 21
Network Troubleshooting Using Wireshark (Brief) January 2018
The Analyze menu is one of the menus you will use a lot during network
troubleshooting. It contains items to manipulate display filters, enable or disable the
dissection of protocols, configure user specified decodes and follow a TCP stream.
We will discuss some of these features in details later in the course.
yoram@ndi-com.comPage 22
Network Troubleshooting Using Wireshark (Brief) January 2018
One of the important menus is the Statistics menu. This menu contains items to
display various statistic windows, including a summary of the packets that have
been captured, display protocol hierarchy statistics and much more.
Later in this course we will deep dive into some of its features, mostly in to IO and
Stream Graphs that are two of the most important Wireshark features
yoram@ndi-com.comPage 23
Network Troubleshooting Using Wireshark (Brief) January 2018
The telephony menu supports various telephony protocols. Here you find for
example Real Time Protocol, RTP, that is used for carrying multimedia information,
Session Initiation Protocol, SIP, that is used for signaling and other protocols.
yoram@ndi-com.comPage 24
Network Troubleshooting Using Wireshark (Brief) January 2018
The Wireless menu show Bluetooth and IEEE 802.11 wireless statistics.
yoram@ndi-com.comPage 25
Network Troubleshooting Using Wireshark (Brief) January 2018
Many tools that can assist you with protocol analysis can be found in:
https://wiki.wireshark.org/Tools
yoram@ndi-com.comPage 26
Network Troubleshooting Using Wireshark (Brief) January 2018
The Help menu contains items to help the user with access to some basic help,
manual pages of the various command line tools, online access to some of the
webpages, and the usual about dialog.
yoram@ndi-com.comPage 27
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 28
Network Troubleshooting Using Wireshark (Brief) January 2018
The colorized bullet on the left shows the highest expert info level found in the
currently loaded capture file. Moving the mouse over this icon will show a textual
description of the expert info level, and clicking the icon will bring up the Expert
Infos dialog box. Here we see that the highest message level is the Warn level.
To the right of the colorized bullet we see information about the capture file, its
name, its size and the elapsed time while it was being captured. Hovering over a file
name will show its full path and size.
Next to the right we see the current number of packets in the capture file. The
following values are displayed:
• Packets: The number of captured packets.
• Displayed: The number of packets currently being displayed.
• Marked: The number of marked packets. These are only displayed if packets are
marked.
• Dropped: The number of dropped packets. These are displayed only Wireshark
was unable to capture all packets, for example under heavy traffic.
yoram@ndi-com.comPage ›#‹
Network Troubleshooting Using Wireshark (Brief) January 2018
• Ignored: The number of ignored packets. These are only displayed if packets are ignored.
• Load time: The time it took to load the capture.
On the right side we see the selected configuration profile. Clicking in this part of the status-
bar will bring up a menu with all available configuration profiles, and selecting from this list
will change the configuration profile.
yoram@ndi-com.comPage 29
Network Troubleshooting Using Wireshark (Brief) January 2018
In Cisco – SPAN - Switched Port Analyzer:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186
a008015c612.shtml
In Juniper – Port Mirror:
http://www.juniper.net/techpubs/en_US/junos9.2/topics/concept/port-mirroring-ex-
series-overview.html
yoram@ndi-com.comPage 30
Network Troubleshooting Using Wireshark (Brief) January 2018
Instead of connecting a switch on the link you wish to monitor, you can connect a
device called Test Access Point (TAP), which is a simple three-port device that in
this case will play the same role of the switch. The advantage of a tap over a switch
is the simplicity and price. Taps also forward errors that can be monitored on
Wireshark, unlike a LAN switch that drops them.
yoram@ndi-com.comPage 31
Network Troubleshooting Using Wireshark (Brief) January 2018
In this section we talk about the principles of network troubleshooting.
yoram@ndi-com.comPage 32
Network Troubleshooting Using Wireshark (Brief) January 2018
Wireshark uses the libpcap filter language for capture filters. Libpcap is a portable
C/C++ library for network traffic capture.
You can find additional information on the Libpcap web site -
http://www.tcpdump.org/, and Capture Filter examples at:
http://wiki.wireshark.org/CaptureFilters.
yoram@ndi-com.comPage 33
Network Troubleshooting Using Wireshark (Brief) January 2018
Here we see that in order to configure a capture filter we go through the following
steps:
• Click on the capture filter symbol, fourth to the left on the symbol toolbar
• Choose the interface on which we want to configure the filter on and
• Configure the filter on the bar down the capture filter window
Some examples for capture filters:
• ether host 00:08:15:00:08:15 for capturing packets only from and to a
specific MAC address
• host 192.168.0.1 for capturing packets only from and to a specific IP
address
• tcp port http for capturing packets only from and to a specific TCP port
yoram@ndi-com.comPage 34
Network Troubleshooting Using Wireshark (Brief) January 2018
We can configure different filters on different interfaces. Here for example we see a
MAC adderss filter on the Wireless LAN interface and a TCP port filter on the
Gigabit Ethernet interface.
yoram@ndi-com.comPage 35
Network Troubleshooting Using Wireshark (Brief) January 2018
A capture filter takes the form of a series of primitive expressions connected by
and/or and optionally preceded by not:
[not] primitive [and|or [not] primitive ...]
When:
• Primitive is the basic condition
• Logical and/or can be used
• Not can be used to negate the condition
Primitives are:
[src|dst] host <host>
This primitive allows you to filter on a host IP address or name. You can optionally precede the primitive with the
keyword src|dst to specify that you are only interested in source or destination addresses. If these are not present,
packets where the specified address appears as either the source or the destination address will be selected.
ether [src|dst] host <ehost>
This primitive allows you to filter on Ethernet host addresses. You can optionally include the keyword src|dst
between the keywords ether and host to specify that you are only interested in source or destination addresses. If
these are not present, packets where the specified address appears in either the source or destination address will be
yoram@ndi-com.comPage ›#‹
Network Troubleshooting Using Wireshark (Brief) January 2018
selected.
gateway host <host>
This primitive allows you to filter on packets that used host as a gateway. That is, where the Ethernet source or destination was
host but neither the source nor destination IP address was host.
[src|dst] net <net> [{mask <mask>}|{len <len>}]
This primitive allows you to filter on network numbers. You can optionally precede this primitive with the keyword src|dst to
specify that you are only interested in a source or destination network. If neither of these are present, packets will be selected that
have the specified network in either the source or destination address. In addition, you can specify either the netmask or the CIDR
prefix for the network if they are different from your own.
[tcp|udp] [src|dst] port <port>
This primitive allows you to filter on TCP and UDP port numbers. You can optionally precede this primitive with the keywords
src|dst and tcp|udp which allow you to specify that you are only interested in source or destination ports and TCP or UDP
packets respectively. The keywords tcp|udp must appear before src|dst.
If these are not specified, packets will be selected for both the TCP and UDP protocols and when the specified address appears in
either the source or destination port field.
less|greater <length>
This primitive allows you to filter on packets whose length was less than or equal to the specified length, or greater than or equal
to the specified length, respectively.
ip|ether proto <protocol>
This primitive allows you to filter on the specified protocol at either the Ethernet layer or the IP layer.
ether|ip broadcast|multicast
This primitive allows you to filter on either Ethernet or IP broadcasts or multicasts.
<expr> relop <expr>
This primitive allows you to create complex filter expressions that select bytes or ranges of bytes in packets. Please see the
tcpdump man page at http://www.tcpdump.org/tcpdump_man.html for more details.
yoram@ndi-com.comPage 36
Network Troubleshooting Using Wireshark (Brief) January 2018
Examples:
host 10.10.10.10
Capture all packets to and from 10.10.10.10
src host 10.10.10.10
Capture all packets where 10.10.10.10 is the source
dst host 10.10.10.10
Capture all packets where 10.10.10.10 is the destination
yoram@ndi-com.comPage 37
Network Troubleshooting Using Wireshark (Brief) January 2018
For port numbers, we can configure:
• The filter port with a port number, for example port 80 to all packets to and from
port 80, that is http.
• The filter src port with a port number, for example src port 80 to all packets
from port 80, that is http.
• The filter dst port with a port number, for example dst port 80 to all packets to
port 80, that is http.
yoram@ndi-com.comPage 38
Network Troubleshooting Using Wireshark (Brief) January 2018
For network addresses we can configure the following filters:
• The filter net with the network address, presented in a network address and
number of bits of the mask, for example net 192.168.1.0/24 for the class-C
address 192.168.1.0
• For source network we configure the filter src net and the source network
address in the same format, for example src net 192.168.1.0/24
• For destination network we configure the filter dst net and the destination
network address in the same format, for example dst net 192.168.1.0/24
yoram@ndi-com.comPage 39
Network Troubleshooting Using Wireshark (Brief) January 2018
More examples:
tcp dst port 3128
Displays packets with destination TCP port 3128.
ip src host 10.1.1.1
Displays packets with source IP address equals to 10.1.1.1.
host 10.1.2.3
Displays packets with source or destination IP address equals to 10.1.1.1.
src portrange 2000-2500
Displays packets with source UDP or TCP ports in the 2000-2500 range.
not imcp
Displays everything except icmp packets. (icmp is typically used by the ping tool)
src host 10.7.2.12 and not dst net 10.200.0.0/16
Displays packets with source IP address equals to 10.7.2.12 and in the same time not with the
destination IP network 10.200.0.0/16.
(src host 10.4.1.12 or src net 10.6.0.0/16) and tcp dst portrange 200-10000 and dst net 10.0.0.0/8
Displays packets with source IP address 10.4.1.12 or source network 10.6.0.0/16, the result is then
concatenated with packets having destination TCP portrange from 200 to 10000 and destination IP
network 10.0.0.0/8.
yoram@ndi-com.comPage 40
Network Troubleshooting Using Wireshark (Brief) January 2018
Compound filters can be used for example for:
• Specific traffic that we are interesting in to a specific port on a specific server or
servers
• Specific traffic from/to specific network(s)
And many other possibilities.
yoram@ndi-com.comPage 41
Network Troubleshooting Using Wireshark (Brief) January 2018
Capture only Ethernet type EAPOL:
• ether proto 0x888e
Capture only IP traffic - the shortest filter, but sometimes very useful to get rid of
lower layer protocols like ARP and STP:
• ip
Capture only unicast traffic - useful to get rid of noise on the network if you only
want to see traffic to and from your machine, not, for example, broadcast and
multicast announcements:
• not broadcast and not multicast
yoram@ndi-com.comPage 42
Network Troubleshooting Using Wireshark (Brief) January 2018
The first way to configure display filters is to click the “Expression…” button to the
right of the display filter tab. You click on it and the display filter expression
window opens.
The first way to configure display filters is to click the “Expression…” button to the
right of the display filter tab. You click on it and the display filter expression
window opens.
In this window you have the following parts:
• The field name, in which you choose the filter. You can scroll down to the
protocol and then double-click on it and all the filters under this protocol will be
opened.
• In the search tab bellow the field name you can search for a filter string. For
example, if you search for “retransmission” TCP is open, presenting you all
possible “retransmission” filters.
• In the “Relation” part of this window you choose if the display filter should be
present, equal or not-equal, greater or smaller then, greater and equal, smaller or
yoram@ndi-com.comPage ›#‹
Network Troubleshooting Using Wireshark (Brief) January 2018
equal to. Contains or matches a specific value that you write in the value field.
• In some cases, for example with TCP Flags, you can choose if a flag is present or not, and
then the “preferred values” window will light on and you will be able to choose a value, in
the case of TCP flags it will “Set” or “Not Set”
You can choose here many values, many of them added in version two of the software.
yoram@ndi-com.comPage 43
Network Troubleshooting Using Wireshark (Brief) January 2018
Another way to use the display filter is simply to write the filter string in the filter
tab. Auto-complete is enabled here, so after getting use to the display filters syntax,
this is quite a good way to use them.
To use the filter expression:
1. Write the expression you want to use
2. Apply the filter string. You can also use <Enter>
3. From the scroll-down arrow you can choose previously-defined filters
4. To edit filter expression use the button to the left of the display filter tab. It will
take you to the preferences windows. You will see this in the next slide.
yoram@ndi-com.comPage 44
Network Troubleshooting Using Wireshark (Brief) January 2018
The last and easiest way is to go to the packet details pane, right-click on the field
you want to filter and choose:
1. Apply as filter or
2. Prepare a filter
In each one of them you can choose “the selected filter”, “Not the selected filter”,
the “selected filter and” the “selected filter or” and so on.
The only thing you have to do is to choose which field in the packet of the protocol
you want to monitor and choose it.
yoram@ndi-com.comPage 45
Network Troubleshooting Using Wireshark (Brief) January 2018
In this section we talk about the principles of network troubleshooting.
yoram@ndi-com.comPage 46
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 47
Network Troubleshooting Using Wireshark (Brief) January 2018
The first example was a disector problem. The Second one was a bad LAN switch.
yoram@ndi-com.comPage 48
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 49
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 50
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 51
Network Troubleshooting Using Wireshark (Brief) January 2018
In this section we talk about the principles of network troubleshooting.
yoram@ndi-com.comPage 52
Network Troubleshooting Using Wireshark (Brief) January 2018
The conversations window presents statistics about:
• Ethernet addresses
• IPv4 and IPv6 addresses
• TCP and UDP port numbers
• Additional session parameters that can be added in conversation types, down-
right the window.
In example 6.1 we see:
• When we choose the IPv4 tab and click on the tab to sort by the number of
packets, we see nearly five thousands packets between 172.20.0.10 to
172.30.0.22
Down to the left of the window you can mark the checkboxes:
• Name resolution: for translating MAC addresses, IP addresses and TCP/UDP port
numbers. Name resolution have to be configured in the main window (from the
view window)
yoram@ndi-com.comPage ›#‹
Network Troubleshooting Using Wireshark (Brief) January 2018
• Limit to display filter: for displaying only what is configures in the display filter
yoram@ndi-com.comPage 53
Network Troubleshooting Using Wireshark (Brief) January 2018
To check what is exactly running between the two hosts and click on the TCP tab,
and we see that two TCP connections are opened:
• From port 57604 to 445, that is SMB
• From port 58479 also to 445, again SMB connection
To look for other session that are not TCP we simply click on the UDP tab and we
see in this case nearly 800 packets from 0.0.0.0 to 172.30.0.0
To see what they are we right click on this line, choose apply a filter, and we see that
these are Checkpoint High Availability packets that are sent between Checkpoint
firewalls.
yoram@ndi-com.comPage 54
Network Troubleshooting Using Wireshark (Brief) January 2018
In this second example, we see more that 137,000 packets in 61 seconds. All SMB
packets sent to 172.30.0.10
We’ll get back to this example in the SMB and NetBIOS chapters.
yoram@ndi-com.comPage 55
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 56
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 57
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 58
Network Troubleshooting Using Wireshark (Brief) January 2018
A network endpoint is the logical endpoint of separate protocol traffic of a specific protocol layer.
The endpoint statistics of Wireshark will take the following endpoints into account:
Ethernet: an Ethernet endpoint is identical to the Ethernet's MAC address.
IPv4: an IPv4 endpoint is identical to its IP address.
IPv6: an IPv6 endpoint is identical to its IP address.
TCP: a TCP endpoint is a combination of the IP address and the TCP port used, so different TCP
ports on the same IP address are different TCP endpoints.
UDP: a UDP endpoint is a combination of the IP address and the UDP port used, so different UDP
ports on the same IP address are different UDP endpoints.
Like in the conversation window you can configure here to resolve addresses or to limit the
information on the window to the pre-configured display filter.
yoram@ndi-com.comPage 59
Network Troubleshooting Using Wireshark (Brief) January 2018
In this example, you see the end-points example when:
• On the Ethernet tab, majority of the packets goes to two Juniper devices. These
can be routers, layer 3 switches or Firewalls.
• On the IP tab, we see that majority of the traffic goes to 172.16.20.20, that is the
network router, and a lot of traffic also comes from 10.100.1.63, which is a
simple client at one of the network sites.
Don’t forget that the information you see is limited to the capture time, so if like
here you see a load from a specific client, it can be because of that the client had
coincidently perform some operation during the capture period.
yoram@ndi-com.comPage 60
Network Troubleshooting Using Wireshark (Brief) January 2018
In this section we talk about the principles of network troubleshooting.
yoram@ndi-com.comPage 61
Network Troubleshooting Using Wireshark (Brief) January 2018
The IO Graph is one of the important features of Wireshark. Using the IO graphs,
with filters when required, shows a clear picture of network traffic and possible
problems.
You can add graphs or delete them clicking on the (+) or (-) tabs.
You can also change mouse options:
• Drag is used for changing graph position
• Zooms is used to zoom in or out of the graph
You can also change:
• The time interval, increase or decrease it
• Change the Y-Axis scale from linear to logarithmic
yoram@ndi-com.comPage 62
Network Troubleshooting Using Wireshark (Brief) January 2018
When looking at the graphs, at the lower window we can see:
• Name: name given to the filter
• Filter: a display filter for this graph (only the packets that pass this filter will be
taken into account for this graph)
• Color: the color of the graph (cannot be changed)
• Style: the style of the graph: Line, Impulse, FBar, Dot, Stacked bar, Dots,
Squares, Diamonds
• Y field: what will be configured on the Y-Axis
• Smoothing: Smoothing the Y-Axis graph
Important thing is that in the Y Axis can be configured to bits/s, Bytes/s, Packets/s
and other parameters that are not time-related. We’ll talk about it later in this lesson.
yoram@ndi-com.comPage 63
Network Troubleshooting Using Wireshark (Brief) January 2018
To see the traffic graph of a specific stream:
• To view all data streams ,use the Conversations tool, from the statistics menu. In
the conversations window, we choose the stream with the highest amount of
packets to see how it loads the line we monitor
• Open the IO graph window, and copy the display filter string to a new graph.
What you see is the amount of traffic of the specific stream.
In our example, we see that the specific stream that we filtered has 60-70
packets/second, while the peaks comes from other traffic.
yoram@ndi-com.comPage 64
Network Troubleshooting Using Wireshark (Brief) January 2018
We go deeper into the stream, and try to figure out where does the peaks come from.
yoram@ndi-com.comPage 65
Network Troubleshooting Using Wireshark (Brief) January 2018
Here we see that the red line of the filtered graph and the black line of all the traffic
overlaps, so we found the session that generated the peaks.
In the protocols lessons later in the next course we will see how to find what exactly
generated these peaks.
yoram@ndi-com.comPage 66
Network Troubleshooting Using Wireshark (Brief) January 2018
Here we se that if we want to see the traffic pattern of the two heaviest flows in this
capture file:
• We use the statistics – conversations window to figure out what are these flows
are
• That we add two additional graphs, with a filters that will show us these graphs
• With zooming on the streams we can see how exactly each one of these streams
behave
yoram@ndi-com.comPage 67
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 68
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 69
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 70
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 71
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 72
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 73
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 74
Network Troubleshooting Using Wireshark (Brief) January 2018
In this section we talk about the principles of network troubleshooting.
yoram@ndi-com.comPage 75
Network Troubleshooting Using Wireshark (Brief) January 2018
There are four types of TCP graphs:
•Round Trip Time – shows the round trip time for ACKs over time
•Throughput - measures through put using TCP sequence numbers
•Time-Sequence (Stevens) - a graph of TCP sequence numbers versus time. This
helps us see if traffic is moving along without interruption, packet loss or long
delays
•Time-Sequence (tcptrace) - a graph of TCP sequence numbers versus time. It also
keeps track of the ACK values received from the other endpoint and tracks the
receive window advertised from the other endpoint.
yoram@ndi-com.comPage 76
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 77
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 78
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 79
Network Troubleshooting Using Wireshark (Brief) January 2018
A few quick items to note:
•You can use the ‘i’ key to zoom in at the current mouse position
•You can use the ‘o’ key to zoom out from the current mouse position
•You can right click hold and drag around the graph
•You can left click hold and drag a rectangle to zoom in on a region
•You can single left click on a segment or ACK to go to that packet in the pcap (very
useful)
yoram@ndi-com.comPage 80
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 81
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 82
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 83
Network Troubleshooting Using Wireshark (Brief) January 2018
Rcv Win - indicates the window size of the receiver.
Bytes Out – indicates the number of bytes in sent out of the sender
A stable receiver window indicate a good receiver behavior. A non-stable behavior,
for example a chain-saw, indicates instability or weakness.
yoram@ndi-com.comPage 84
Network Troubleshooting Using Wireshark (Brief) January 2018
In this section we talk about the principles of network troubleshooting.
yoram@ndi-com.comPage 85
Network Troubleshooting Using Wireshark (Brief) January 2018
If we’ll go back to the OSI-RM definitions, layers 1 and 2 are the LAN and WAN protocols. TCP
works on any of them.
In layer 3, the protocols that provides end to end connectivity is the IP – Internet Protocol. In
parallel to the IP, there are other special purpose protocols, like ICMP (Ping command)
ARP (Address Resolution Protocol) and RARP (Reverse ARP) are used for address resolution
between layer-2 LAN and layer-3 IP protocols
In layer 4 we have two protocols for application connectivity – TCP (Transport Control Protocol)
which is a connection-oriented, reliable protocol, and UDP (User Datagram Protocol), which is an
unreliable, connection-less protocol.
In layers 5 to 7, the “upper layers”, we have two types of protocols:
•Those who requires reliability, like FTP, HTTP and others – they work on the top of reliable TCP
infrastructure. Of course, working over TCP slows the operation
•Those who does not requires reliability, or does require speed – they work on the top of the
faster, unreliable UDP.
yoram@ndi-com.comPage 86
Network Troubleshooting Using Wireshark (Brief) January 2018
Connection
Oriented
Reliable
TCP YES YES
UDP NO NO
yoram@ndi-com.comPage 87
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 88
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 89
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 90
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 91
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 92
Network Troubleshooting Using Wireshark (Brief) January 2018
Something happens here every 2.5 seconds that causes transmission to hold for this
period of time. Lets find out what it might be.
yoram@ndi-com.comPage 93
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 94
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 95
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 96
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 97
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 98
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 99
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 100
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 101
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 102
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 103
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 104
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 105
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 106
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 107
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 108
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 109
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 110
Network Troubleshooting Using Wireshark (Brief) January 2018
TCP DupACK - Occurs when the same ACK number is seen AND it is lower than
the last byte of data sent by the sender.
If the receiver detects a gap in the sequence numbers, it will generate a duplicate
ACK for each subsequent packet it receives on that connection, until the missing
packet is successfully received (retransmitted).
DupACK is a clear indication of dropped/missing packets.
yoram@ndi-com.comPage 111
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 112
Network Troubleshooting Using Wireshark (Brief) January 2018
TCP ZeroWindow - Occurs when a receiver advertises a receive window size of zero. This effectively tells the
sender to stop sending because the receiver's buffer is full. Indicates a resource issue on the receiver, as the
application is not retrieving data from the TCP buffer in a timely manner.
TCP ZerowindowProbe - The sender is testing to see if the receiver's zero window condition still exists by
sending the next byte of data to elicit an ACK from the receiver. If the window is still zero, the sender will
double his timer before probing again.
TCP ZeroWindowViolation - The sender has ignored the zero window condition of the receiver and sent
additional bytes of data.
TCP WindowUpdate - This indicates that the segment was a pure WindowUpdate segment. A WindowUpdate
occurs when the application on the receiving side has consumed already received data from the RX buffer
causing the TCP layer to send a WindowUpdate to the other side to indicate that there is now more space
available in the buffer. Typically seen after a TCP ZeroWindow condition has occurred. Once the application on
the receiver retrieves data from the TCP buffer, thereby freeing up space, the receiver should notify the sender
that the TCP ZeroWindow condition no longer exists by sending a TCP WindowUpdate that advertises the
current window size.
TCP WindowFull - This flag is set on segments where the payload data in the segment will completely fill the
RX buffer on the host on the other side of the TCP session. The sender, knowing that it has sent enough data to
fill the last known RX window size, must now stop sending until at least some of the data is acknowledged (or
until the acknowledgement timer for the oldest unacknowledged packet expires). This causes delays in the flow
of data between sender and receiver and lowers throughput. When this event occurs, a ZeroWindow condition
might occur on the other host and we might see TCP ZeroWindow segments coming back. Do note that this can
occur even if no ZeroWindow condition is ever triggered. For example, if the TCP WindowSize is too small to
accomodate a high end-to-end latency this will be indicated by TCP WindowFull and in that case there will not
be any TCP ZeroWindow indications at all. --- This should be broken out to its own page with a more detailed
explanation.
yoram@ndi-com.comPage 113
Network Troubleshooting Using Wireshark (Brief) January 2018
In this example, 10.0.52.164 is decreasing the window size --- meaning that it
cannot process data received by him on this connection. Eventually, Zero window
will appear, and keepalive messages will start in order to maintain this application.
yoram@ndi-com.comPage 114
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 115
Network Troubleshooting Using Wireshark (Brief) January 2018
In this section we talk about the principles of network troubleshooting.
yoram@ndi-com.comPage 116
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 117
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 118
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 119
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 120
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 121
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 122
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 123
Network Troubleshooting Using Wireshark (Brief) January 2018
In this section we talk about the principles of network troubleshooting.
yoram@ndi-com.comPage 124
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 125
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 126
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 127
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 128
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 129
Network Troubleshooting Using Wireshark (Brief) January 2018
In this section we talk about the principles of network troubleshooting.
yoram@ndi-com.comPage 130
Network Troubleshooting Using Wireshark (Brief) January 2018
yoram@ndi-com.comPage 131
Network Troubleshooting Using Wireshark (Brief) January 2018

More Related Content

What's hot

NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute forcevishalgohel12195
 
Network analysis Using Wireshark Lesson 11: TCP and UDP Analysis
Network analysis Using Wireshark Lesson 11: TCP and UDP AnalysisNetwork analysis Using Wireshark Lesson 11: TCP and UDP Analysis
Network analysis Using Wireshark Lesson 11: TCP and UDP AnalysisYoram Orzach
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
System hacking
System hackingSystem hacking
System hackingCAS
 
Wireshark network analysing software
Wireshark network analysing softwareWireshark network analysing software
Wireshark network analysing softwaredharmesh nakum
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
Wireshark Inroduction Li In
Wireshark Inroduction  Li InWireshark Inroduction  Li In
Wireshark Inroduction Li Inmhaviv
 
network monitoring system ppt
network monitoring system pptnetwork monitoring system ppt
network monitoring system pptashutosh rai
 
Network sniffers & injection tools
Network sniffers  & injection toolsNetwork sniffers  & injection tools
Network sniffers & injection toolsvishalgohel12195
 
Practical Packet Analysis: Wireshark
Practical Packet Analysis: Wireshark Practical Packet Analysis: Wireshark
Practical Packet Analysis: Wireshark Ashley Wheeler
 

What's hot (20)

NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
Wireshark
WiresharkWireshark
Wireshark
 
Wireshark
WiresharkWireshark
Wireshark
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
 
Wireshark
WiresharkWireshark
Wireshark
 
Network analysis Using Wireshark Lesson 11: TCP and UDP Analysis
Network analysis Using Wireshark Lesson 11: TCP and UDP AnalysisNetwork analysis Using Wireshark Lesson 11: TCP and UDP Analysis
Network analysis Using Wireshark Lesson 11: TCP and UDP Analysis
 
Proxy Servers
Proxy ServersProxy Servers
Proxy Servers
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
System hacking
System hackingSystem hacking
System hacking
 
Wireshark network analysing software
Wireshark network analysing softwareWireshark network analysing software
Wireshark network analysing software
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
 
Wireless Hacking
Wireless HackingWireless Hacking
Wireless Hacking
 
Wireshark Inroduction Li In
Wireshark Inroduction  Li InWireshark Inroduction  Li In
Wireshark Inroduction Li In
 
network monitoring system ppt
network monitoring system pptnetwork monitoring system ppt
network monitoring system ppt
 
Network sniffers & injection tools
Network sniffers  & injection toolsNetwork sniffers  & injection tools
Network sniffers & injection tools
 
Proxy
ProxyProxy
Proxy
 
Wireshark Tutorial
Wireshark TutorialWireshark Tutorial
Wireshark Tutorial
 
Wireshark Basics
Wireshark BasicsWireshark Basics
Wireshark Basics
 
Practical Packet Analysis: Wireshark
Practical Packet Analysis: Wireshark Practical Packet Analysis: Wireshark
Practical Packet Analysis: Wireshark
 

Similar to Network Analysis Using Wireshark Jan 18- seminar

Network Monitoring with Wireshark
Network Monitoring with WiresharkNetwork Monitoring with Wireshark
Network Monitoring with WiresharkSiddharth Coontoor
 
IRJET- Network Monitoring & Network Security
IRJET-  	  Network Monitoring & Network SecurityIRJET-  	  Network Monitoring & Network Security
IRJET- Network Monitoring & Network SecurityIRJET Journal
 
Wireshark - Basics
Wireshark - BasicsWireshark - Basics
Wireshark - BasicsYoram Orzach
 
A Deeper Look into Network Traffic Analysis using Wireshark.pdf
A Deeper Look into Network Traffic Analysis using Wireshark.pdfA Deeper Look into Network Traffic Analysis using Wireshark.pdf
A Deeper Look into Network Traffic Analysis using Wireshark.pdfJessica Thompson
 
Tools.pptx
Tools.pptxTools.pptx
Tools.pptxImXaib
 
Network Tools for Master Thesis
Network Tools for Master ThesisNetwork Tools for Master Thesis
Network Tools for Master ThesisPhdtopiccom
 
IDENTIFY NAVIGATIONAL PATTERNS OF WEB USERS
IDENTIFY NAVIGATIONAL PATTERNS OF WEB USERS IDENTIFY NAVIGATIONAL PATTERNS OF WEB USERS
IDENTIFY NAVIGATIONAL PATTERNS OF WEB USERS ijcax
 
IDENTIFY NAVIGATIONAL PATTERNS OF WEB USERS
IDENTIFY NAVIGATIONAL PATTERNS OF WEB USERS IDENTIFY NAVIGATIONAL PATTERNS OF WEB USERS
IDENTIFY NAVIGATIONAL PATTERNS OF WEB USERS ijcax
 
IDENTIFY NAVIGATIONAL PATTERNS OF WEB USERS
IDENTIFY NAVIGATIONAL PATTERNS OF WEB USERS IDENTIFY NAVIGATIONAL PATTERNS OF WEB USERS
IDENTIFY NAVIGATIONAL PATTERNS OF WEB USERS ijcax
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.pptAssadLeo1
 
Network Analysis Using Wireshark 1
Network Analysis Using Wireshark 1Network Analysis Using Wireshark 1
Network Analysis Using Wireshark 1Yoram Orzach
 
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...IRJET Journal
 
Chapter 8 security tools ii
Chapter 8   security tools iiChapter 8   security tools ii
Chapter 8 security tools iiSyaiful Ahdan
 
IRJET- Comparative Study on Network Monitoring Tools of Nagios Versus Hyp...
IRJET-  	  Comparative Study on Network Monitoring Tools of Nagios Versus Hyp...IRJET-  	  Comparative Study on Network Monitoring Tools of Nagios Versus Hyp...
IRJET- Comparative Study on Network Monitoring Tools of Nagios Versus Hyp...IRJET Journal
 
The Internet Of Things Can Be Developed And Refined
The Internet Of Things Can Be Developed And RefinedThe Internet Of Things Can Be Developed And Refined
The Internet Of Things Can Be Developed And RefinedStephanie Roberts
 
IRJET- IoT based Vending Machine with Cashless Payment
IRJET- IoT based Vending Machine with Cashless PaymentIRJET- IoT based Vending Machine with Cashless Payment
IRJET- IoT based Vending Machine with Cashless PaymentIRJET Journal
 
Advantages And Disadvantages Of Nc
Advantages And Disadvantages Of NcAdvantages And Disadvantages Of Nc
Advantages And Disadvantages Of NcKristen Wilson
 
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET Journal
 

Similar to Network Analysis Using Wireshark Jan 18- seminar (20)

Network Monitoring with Wireshark
Network Monitoring with WiresharkNetwork Monitoring with Wireshark
Network Monitoring with Wireshark
 
IRJET- Network Monitoring & Network Security
IRJET-  	  Network Monitoring & Network SecurityIRJET-  	  Network Monitoring & Network Security
IRJET- Network Monitoring & Network Security
 
Wireshark - Basics
Wireshark - BasicsWireshark - Basics
Wireshark - Basics
 
A Deeper Look into Network Traffic Analysis using Wireshark.pdf
A Deeper Look into Network Traffic Analysis using Wireshark.pdfA Deeper Look into Network Traffic Analysis using Wireshark.pdf
A Deeper Look into Network Traffic Analysis using Wireshark.pdf
 
Tools.pptx
Tools.pptxTools.pptx
Tools.pptx
 
Network Tools for Master Thesis
Network Tools for Master ThesisNetwork Tools for Master Thesis
Network Tools for Master Thesis
 
IDENTIFY NAVIGATIONAL PATTERNS OF WEB USERS
IDENTIFY NAVIGATIONAL PATTERNS OF WEB USERS IDENTIFY NAVIGATIONAL PATTERNS OF WEB USERS
IDENTIFY NAVIGATIONAL PATTERNS OF WEB USERS
 
IDENTIFY NAVIGATIONAL PATTERNS OF WEB USERS
IDENTIFY NAVIGATIONAL PATTERNS OF WEB USERS IDENTIFY NAVIGATIONAL PATTERNS OF WEB USERS
IDENTIFY NAVIGATIONAL PATTERNS OF WEB USERS
 
IDENTIFY NAVIGATIONAL PATTERNS OF WEB USERS
IDENTIFY NAVIGATIONAL PATTERNS OF WEB USERS IDENTIFY NAVIGATIONAL PATTERNS OF WEB USERS
IDENTIFY NAVIGATIONAL PATTERNS OF WEB USERS
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.ppt
 
Wiresharkrep
WiresharkrepWiresharkrep
Wiresharkrep
 
Network Analysis Using Wireshark 1
Network Analysis Using Wireshark 1Network Analysis Using Wireshark 1
Network Analysis Using Wireshark 1
 
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
 
Chapter 8 security tools ii
Chapter 8   security tools iiChapter 8   security tools ii
Chapter 8 security tools ii
 
IRJET- Comparative Study on Network Monitoring Tools of Nagios Versus Hyp...
IRJET-  	  Comparative Study on Network Monitoring Tools of Nagios Versus Hyp...IRJET-  	  Comparative Study on Network Monitoring Tools of Nagios Versus Hyp...
IRJET- Comparative Study on Network Monitoring Tools of Nagios Versus Hyp...
 
The Internet Of Things Can Be Developed And Refined
The Internet Of Things Can Be Developed And RefinedThe Internet Of Things Can Be Developed And Refined
The Internet Of Things Can Be Developed And Refined
 
Network monitoring tools
Network monitoring toolsNetwork monitoring tools
Network monitoring tools
 
IRJET- IoT based Vending Machine with Cashless Payment
IRJET- IoT based Vending Machine with Cashless PaymentIRJET- IoT based Vending Machine with Cashless Payment
IRJET- IoT based Vending Machine with Cashless Payment
 
Advantages And Disadvantages Of Nc
Advantages And Disadvantages Of NcAdvantages And Disadvantages Of Nc
Advantages And Disadvantages Of Nc
 
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit Framework
 

More from Yoram Orzach

Network analysis Using Wireshark Lesson 1- introduction to network troublesho...
Network analysis Using Wireshark Lesson 1- introduction to network troublesho...Network analysis Using Wireshark Lesson 1- introduction to network troublesho...
Network analysis Using Wireshark Lesson 1- introduction to network troublesho...Yoram Orzach
 
Network analysis Using Wireshark Lesson 12 - bandwidth and delay issues
Network analysis Using Wireshark Lesson 12 - bandwidth and delay issuesNetwork analysis Using Wireshark Lesson 12 - bandwidth and delay issues
Network analysis Using Wireshark Lesson 12 - bandwidth and delay issuesYoram Orzach
 
Network Analysis Using Wireshark -10- arp and ip analysis
Network Analysis Using Wireshark -10- arp and ip analysis Network Analysis Using Wireshark -10- arp and ip analysis
Network Analysis Using Wireshark -10- arp and ip analysis Yoram Orzach
 
Network Analysis Using Wireshark Chapter 09 ethernet and lan switching
Network Analysis Using Wireshark Chapter 09 ethernet and lan switchingNetwork Analysis Using Wireshark Chapter 09 ethernet and lan switching
Network Analysis Using Wireshark Chapter 09 ethernet and lan switchingYoram Orzach
 
Network Analysis Using Wireshark Chapter 08 the expert system
Network Analysis Using Wireshark Chapter 08 the expert systemNetwork Analysis Using Wireshark Chapter 08 the expert system
Network Analysis Using Wireshark Chapter 08 the expert systemYoram Orzach
 
lesson 7- Network analysis Using Wireshark - advanced statistics tools
lesson 7- Network analysis Using Wireshark - advanced statistics toolslesson 7- Network analysis Using Wireshark - advanced statistics tools
lesson 7- Network analysis Using Wireshark - advanced statistics toolsYoram Orzach
 
Network Analysis Using Wireshark -Chapter 6- basic statistics tools
Network Analysis Using Wireshark -Chapter 6- basic statistics toolsNetwork Analysis Using Wireshark -Chapter 6- basic statistics tools
Network Analysis Using Wireshark -Chapter 6- basic statistics toolsYoram Orzach
 
Network analysis Using Wireshark Lesson 3: locating wireshark
Network analysis Using Wireshark Lesson 3: locating wiresharkNetwork analysis Using Wireshark Lesson 3: locating wireshark
Network analysis Using Wireshark Lesson 3: locating wiresharkYoram Orzach
 
lesson 2- Network analysis Using Wireshark introduction to cellular feb-2017
lesson 2- Network analysis Using Wireshark introduction to cellular feb-2017lesson 2- Network analysis Using Wireshark introduction to cellular feb-2017
lesson 2- Network analysis Using Wireshark introduction to cellular feb-2017Yoram Orzach
 
Network Analysis using Wireshark 5: display filters
Network Analysis using Wireshark 5: display filtersNetwork Analysis using Wireshark 5: display filters
Network Analysis using Wireshark 5: display filtersYoram Orzach
 
Network analysis Using Wireshark 4: Capture Filters
Network analysis Using Wireshark 4: Capture FiltersNetwork analysis Using Wireshark 4: Capture Filters
Network analysis Using Wireshark 4: Capture FiltersYoram Orzach
 
Ch 05 --- nfv basics
Ch 05 --- nfv basicsCh 05 --- nfv basics
Ch 05 --- nfv basicsYoram Orzach
 
Ch 04 --- sdn deployment models
Ch 04 --- sdn deployment modelsCh 04 --- sdn deployment models
Ch 04 --- sdn deployment modelsYoram Orzach
 
Ch 03 --- the OpenFlow protocols
Ch 03 --- the OpenFlow protocolsCh 03 --- the OpenFlow protocols
Ch 03 --- the OpenFlow protocolsYoram Orzach
 
Ch 02 --- sdn and openflow architecture
Ch 02 --- sdn and openflow architectureCh 02 --- sdn and openflow architecture
Ch 02 --- sdn and openflow architectureYoram Orzach
 
Ch 01 --- introduction to sdn-nfv
Ch 01 --- introduction to sdn-nfvCh 01 --- introduction to sdn-nfv
Ch 01 --- introduction to sdn-nfvYoram Orzach
 
Ch 09 -- ARP & IP Analysis
Ch 09 -- ARP & IP AnalysisCh 09 -- ARP & IP Analysis
Ch 09 -- ARP & IP AnalysisYoram Orzach
 
Ch 08 -- Ethernet & LAN Switching Troubleshooting
Ch 08 -- Ethernet & LAN Switching TroubleshootingCh 08 -- Ethernet & LAN Switching Troubleshooting
Ch 08 -- Ethernet & LAN Switching TroubleshootingYoram Orzach
 
Ch 07 -- The Expert System
Ch 07 -- The Expert SystemCh 07 -- The Expert System
Ch 07 -- The Expert SystemYoram Orzach
 
Ch 06 -- Bandwidth Delay and Jitter Issues
Ch 06 -- Bandwidth Delay and Jitter IssuesCh 06 -- Bandwidth Delay and Jitter Issues
Ch 06 -- Bandwidth Delay and Jitter IssuesYoram Orzach
 

More from Yoram Orzach (20)

Network analysis Using Wireshark Lesson 1- introduction to network troublesho...
Network analysis Using Wireshark Lesson 1- introduction to network troublesho...Network analysis Using Wireshark Lesson 1- introduction to network troublesho...
Network analysis Using Wireshark Lesson 1- introduction to network troublesho...
 
Network analysis Using Wireshark Lesson 12 - bandwidth and delay issues
Network analysis Using Wireshark Lesson 12 - bandwidth and delay issuesNetwork analysis Using Wireshark Lesson 12 - bandwidth and delay issues
Network analysis Using Wireshark Lesson 12 - bandwidth and delay issues
 
Network Analysis Using Wireshark -10- arp and ip analysis
Network Analysis Using Wireshark -10- arp and ip analysis Network Analysis Using Wireshark -10- arp and ip analysis
Network Analysis Using Wireshark -10- arp and ip analysis
 
Network Analysis Using Wireshark Chapter 09 ethernet and lan switching
Network Analysis Using Wireshark Chapter 09 ethernet and lan switchingNetwork Analysis Using Wireshark Chapter 09 ethernet and lan switching
Network Analysis Using Wireshark Chapter 09 ethernet and lan switching
 
Network Analysis Using Wireshark Chapter 08 the expert system
Network Analysis Using Wireshark Chapter 08 the expert systemNetwork Analysis Using Wireshark Chapter 08 the expert system
Network Analysis Using Wireshark Chapter 08 the expert system
 
lesson 7- Network analysis Using Wireshark - advanced statistics tools
lesson 7- Network analysis Using Wireshark - advanced statistics toolslesson 7- Network analysis Using Wireshark - advanced statistics tools
lesson 7- Network analysis Using Wireshark - advanced statistics tools
 
Network Analysis Using Wireshark -Chapter 6- basic statistics tools
Network Analysis Using Wireshark -Chapter 6- basic statistics toolsNetwork Analysis Using Wireshark -Chapter 6- basic statistics tools
Network Analysis Using Wireshark -Chapter 6- basic statistics tools
 
Network analysis Using Wireshark Lesson 3: locating wireshark
Network analysis Using Wireshark Lesson 3: locating wiresharkNetwork analysis Using Wireshark Lesson 3: locating wireshark
Network analysis Using Wireshark Lesson 3: locating wireshark
 
lesson 2- Network analysis Using Wireshark introduction to cellular feb-2017
lesson 2- Network analysis Using Wireshark introduction to cellular feb-2017lesson 2- Network analysis Using Wireshark introduction to cellular feb-2017
lesson 2- Network analysis Using Wireshark introduction to cellular feb-2017
 
Network Analysis using Wireshark 5: display filters
Network Analysis using Wireshark 5: display filtersNetwork Analysis using Wireshark 5: display filters
Network Analysis using Wireshark 5: display filters
 
Network analysis Using Wireshark 4: Capture Filters
Network analysis Using Wireshark 4: Capture FiltersNetwork analysis Using Wireshark 4: Capture Filters
Network analysis Using Wireshark 4: Capture Filters
 
Ch 05 --- nfv basics
Ch 05 --- nfv basicsCh 05 --- nfv basics
Ch 05 --- nfv basics
 
Ch 04 --- sdn deployment models
Ch 04 --- sdn deployment modelsCh 04 --- sdn deployment models
Ch 04 --- sdn deployment models
 
Ch 03 --- the OpenFlow protocols
Ch 03 --- the OpenFlow protocolsCh 03 --- the OpenFlow protocols
Ch 03 --- the OpenFlow protocols
 
Ch 02 --- sdn and openflow architecture
Ch 02 --- sdn and openflow architectureCh 02 --- sdn and openflow architecture
Ch 02 --- sdn and openflow architecture
 
Ch 01 --- introduction to sdn-nfv
Ch 01 --- introduction to sdn-nfvCh 01 --- introduction to sdn-nfv
Ch 01 --- introduction to sdn-nfv
 
Ch 09 -- ARP & IP Analysis
Ch 09 -- ARP & IP AnalysisCh 09 -- ARP & IP Analysis
Ch 09 -- ARP & IP Analysis
 
Ch 08 -- Ethernet & LAN Switching Troubleshooting
Ch 08 -- Ethernet & LAN Switching TroubleshootingCh 08 -- Ethernet & LAN Switching Troubleshooting
Ch 08 -- Ethernet & LAN Switching Troubleshooting
 
Ch 07 -- The Expert System
Ch 07 -- The Expert SystemCh 07 -- The Expert System
Ch 07 -- The Expert System
 
Ch 06 -- Bandwidth Delay and Jitter Issues
Ch 06 -- Bandwidth Delay and Jitter IssuesCh 06 -- Bandwidth Delay and Jitter Issues
Ch 06 -- Bandwidth Delay and Jitter Issues
 

Recently uploaded

NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 

Recently uploaded (20)

NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 

Network Analysis Using Wireshark Jan 18- seminar

  • 1. yoram@ndi-com.comPage 1 Network Troubleshooting Using Wireshark (Brief) January 2018 © All Rights Reserved to Yoram Orzach ©
  • 2. yoram@ndi-com.comPage 2 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 3. yoram@ndi-com.comPage 3 Network Troubleshooting Using Wireshark (Brief) January 2018 In this section we talk about the principles of network troubleshooting.
  • 4. yoram@ndi-com.comPage 4 Network Troubleshooting Using Wireshark (Brief) January 2018 There are three major types of debugging tools: 1. Standard PC (or operating systems) tools – all the standard applications that you can run from the standard command line on your PC or on the UNIX machine 2. Access to communication devices – switches, routers, etc 3. Protocol analyzers – applications that analyze packets and protocols that runs on the network 4. SNMP tools – applications and software's that monitors MIB (Management Information Base) continuously, and therefore can be used also for network troubleshooting 5. Special tools – Netflow, Solarwinds and other tools for engineering and special case monitoring
  • 5. yoram@ndi-com.comPage 5 Network Troubleshooting Using Wireshark (Brief) January 2018 CLI tools, like ping, tracert (or traceroute – depends on the OS), will give you an initial “feeling” of the network. You can get delay, jitter and packet loss, with simple ping, and reachability tests with trace.
  • 6. yoram@ndi-com.comPage 6 Network Troubleshooting Using Wireshark (Brief) January 2018 Telnet or web connectivity to communication devices will give you much more data. You will be able to get the number of input and output packets on an interface, number of errors, CPU utilization, packet size distribution and much more
  • 7. yoram@ndi-com.comPage 7 Network Troubleshooting Using Wireshark (Brief) January 2018 Wireshark – well, this is the purpose of our seminar, so you will see …….
  • 8. yoram@ndi-com.comPage 8 Network Troubleshooting Using Wireshark (Brief) January 2018 SNMP tools, like SNMPc, MRTG, Whatsup Gold, HPOV-NNM and others, are installed on a dedicated platfor, that continuously monitors the network, gives us a networks map, event browser and other features, depends on the software. For troubleshooting purposes, we will use the monitoring features, that will gove us continues monitoring of network parameters.
  • 9. yoram@ndi-com.comPage 9 Network Troubleshooting Using Wireshark (Brief) January 2018 There are special tools like Netflow, Loggers etc. For example, in Netflow, we can get accurate statistics, of who is using the network (by IP address), what is he doing (by port numbers – http, mail etc.) and more. There are many tools for these purposes.
  • 10. yoram@ndi-com.comPage 10 Network Troubleshooting Using Wireshark (Brief) January 2018 IF you need more then this, for example simulating network conditions, you can use software tools (for example Shunra), od hardware devices that will simulate error patterns, load, application loads and more.
  • 11. yoram@ndi-com.comPage 11 Network Troubleshooting Using Wireshark (Brief) January 2018 In this section we talk about the principles of network troubleshooting.
  • 12. yoram@ndi-com.comPage 12 Network Troubleshooting Using Wireshark (Brief) January 2018 In late 1997 Gerald Combs needed a tool for tracking down network problems and wanted to learn more about networking so he started writing Ethereal (the original name of the Wireshark project) as a way to solve both problems. Ethereal was initially released after several pauses in development in July 1998 as version 0.2.0. Within days patches, bug reports, and words of encouragement started arriving and Ethereal was on its way to success. Not long after that Gilbert Ramirez saw its potential and contributed a low-level dissector to it. In October, 1998 Guy Harris was looking for something better than tcpview so he started applying patches and contributing dissectors to Ethereal. In late 1998 Richard Sharpe, who was giving TCP/IP courses, saw its potential on such courses and started looking at it to see if it supported the protocols he needed. While it didn’t at that point new protocols could be easily added. So he started contributing dissectors and contributing patches. The list of people who have contributed to the project has become very long since then, and almost all of them started with a protocol that they needed that Wireshark or did not already handle. So they copied an existing dissector and contributed the code back to the team.
  • 13. yoram@ndi-com.comPage ›#‹ Network Troubleshooting Using Wireshark (Brief) January 2018 In 2006 the project moved house and re-emerged under a new name: Wireshark. In 2008, after ten years of development, Wireshark finally arrived at version 1.0. This release was the first complete, with the minimum features implemented. Acquired by Riverbed in 2010 with commitment to live as open-source In 2015 Wireshark 2.0 was released, which featured a new user interface.
  • 14. yoram@ndi-com.comPage 13 Network Troubleshooting Using Wireshark (Brief) January 2018 With Wireshark we can: • Capture packets • Watch smart statistics and graphs and analyze them • Define capture and display filters • Using all of the above – Analyze problems What Wireshark cannot do for you: • It is not an automatic tool, and certainly not a “magic” tool. You don’t just connect it to the network and it tell you the problems. • It is not suitable for long term monitoring. • It is not suitable for heavy traffic monitoring.
  • 15. yoram@ndi-com.comPage 14 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 16. yoram@ndi-com.comPage 15 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 17. yoram@ndi-com.comPage 16 Network Troubleshooting Using Wireshark (Brief) January 2018 The File menu contains items to open and merge capture files, save, print, or export capture files in whole or in part, and to quit the Wireshark application. You can for example configure a display filter on the data that interest you, and then from here, using Export Specified Packets, export only this data to a file.
  • 18. yoram@ndi-com.comPage 17 Network Troubleshooting Using Wireshark (Brief) January 2018 The Edit menu contains items to find a packet, time reference or mark one or more packets, handle configuration profiles, and set your preferences. You can for example use Find Packet when you look for a string in a text, for example a website, a URL, DNS name or any other string in the captured file.
  • 19. yoram@ndi-com.comPage 18 Network Troubleshooting Using Wireshark (Brief) January 2018 The View Menu controls the display of the captured data, including colorization of packets, zooming the font, showing a packet in a separate window, expanding and collapsing trees in packet details Here for example we can set the Time Display Format, Name Resolution in Layers 2, 3 and 4 and other features to customize the display.
  • 20. yoram@ndi-com.comPage 19 Network Troubleshooting Using Wireshark (Brief) January 2018 The Go menu contains items to go to a specific packet – including to a packet number, next or previous packet, first or last packet and so on. Like all menus, items here have keyboard shortcuts to make life easier, use them.
  • 21. yoram@ndi-com.comPage 20 Network Troubleshooting Using Wireshark (Brief) January 2018 The Capture menu allows you to start and stop captures and to edit capture filters. This will be explained later in this lesson.
  • 22. yoram@ndi-com.comPage 21 Network Troubleshooting Using Wireshark (Brief) January 2018 The Analyze menu is one of the menus you will use a lot during network troubleshooting. It contains items to manipulate display filters, enable or disable the dissection of protocols, configure user specified decodes and follow a TCP stream. We will discuss some of these features in details later in the course.
  • 23. yoram@ndi-com.comPage 22 Network Troubleshooting Using Wireshark (Brief) January 2018 One of the important menus is the Statistics menu. This menu contains items to display various statistic windows, including a summary of the packets that have been captured, display protocol hierarchy statistics and much more. Later in this course we will deep dive into some of its features, mostly in to IO and Stream Graphs that are two of the most important Wireshark features
  • 24. yoram@ndi-com.comPage 23 Network Troubleshooting Using Wireshark (Brief) January 2018 The telephony menu supports various telephony protocols. Here you find for example Real Time Protocol, RTP, that is used for carrying multimedia information, Session Initiation Protocol, SIP, that is used for signaling and other protocols.
  • 25. yoram@ndi-com.comPage 24 Network Troubleshooting Using Wireshark (Brief) January 2018 The Wireless menu show Bluetooth and IEEE 802.11 wireless statistics.
  • 26. yoram@ndi-com.comPage 25 Network Troubleshooting Using Wireshark (Brief) January 2018 Many tools that can assist you with protocol analysis can be found in: https://wiki.wireshark.org/Tools
  • 27. yoram@ndi-com.comPage 26 Network Troubleshooting Using Wireshark (Brief) January 2018 The Help menu contains items to help the user with access to some basic help, manual pages of the various command line tools, online access to some of the webpages, and the usual about dialog.
  • 28. yoram@ndi-com.comPage 27 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 29. yoram@ndi-com.comPage 28 Network Troubleshooting Using Wireshark (Brief) January 2018 The colorized bullet on the left shows the highest expert info level found in the currently loaded capture file. Moving the mouse over this icon will show a textual description of the expert info level, and clicking the icon will bring up the Expert Infos dialog box. Here we see that the highest message level is the Warn level. To the right of the colorized bullet we see information about the capture file, its name, its size and the elapsed time while it was being captured. Hovering over a file name will show its full path and size. Next to the right we see the current number of packets in the capture file. The following values are displayed: • Packets: The number of captured packets. • Displayed: The number of packets currently being displayed. • Marked: The number of marked packets. These are only displayed if packets are marked. • Dropped: The number of dropped packets. These are displayed only Wireshark was unable to capture all packets, for example under heavy traffic.
  • 30. yoram@ndi-com.comPage ›#‹ Network Troubleshooting Using Wireshark (Brief) January 2018 • Ignored: The number of ignored packets. These are only displayed if packets are ignored. • Load time: The time it took to load the capture. On the right side we see the selected configuration profile. Clicking in this part of the status- bar will bring up a menu with all available configuration profiles, and selecting from this list will change the configuration profile.
  • 31. yoram@ndi-com.comPage 29 Network Troubleshooting Using Wireshark (Brief) January 2018 In Cisco – SPAN - Switched Port Analyzer: http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186 a008015c612.shtml In Juniper – Port Mirror: http://www.juniper.net/techpubs/en_US/junos9.2/topics/concept/port-mirroring-ex- series-overview.html
  • 32. yoram@ndi-com.comPage 30 Network Troubleshooting Using Wireshark (Brief) January 2018 Instead of connecting a switch on the link you wish to monitor, you can connect a device called Test Access Point (TAP), which is a simple three-port device that in this case will play the same role of the switch. The advantage of a tap over a switch is the simplicity and price. Taps also forward errors that can be monitored on Wireshark, unlike a LAN switch that drops them.
  • 33. yoram@ndi-com.comPage 31 Network Troubleshooting Using Wireshark (Brief) January 2018 In this section we talk about the principles of network troubleshooting.
  • 34. yoram@ndi-com.comPage 32 Network Troubleshooting Using Wireshark (Brief) January 2018 Wireshark uses the libpcap filter language for capture filters. Libpcap is a portable C/C++ library for network traffic capture. You can find additional information on the Libpcap web site - http://www.tcpdump.org/, and Capture Filter examples at: http://wiki.wireshark.org/CaptureFilters.
  • 35. yoram@ndi-com.comPage 33 Network Troubleshooting Using Wireshark (Brief) January 2018 Here we see that in order to configure a capture filter we go through the following steps: • Click on the capture filter symbol, fourth to the left on the symbol toolbar • Choose the interface on which we want to configure the filter on and • Configure the filter on the bar down the capture filter window Some examples for capture filters: • ether host 00:08:15:00:08:15 for capturing packets only from and to a specific MAC address • host 192.168.0.1 for capturing packets only from and to a specific IP address • tcp port http for capturing packets only from and to a specific TCP port
  • 36. yoram@ndi-com.comPage 34 Network Troubleshooting Using Wireshark (Brief) January 2018 We can configure different filters on different interfaces. Here for example we see a MAC adderss filter on the Wireless LAN interface and a TCP port filter on the Gigabit Ethernet interface.
  • 37. yoram@ndi-com.comPage 35 Network Troubleshooting Using Wireshark (Brief) January 2018 A capture filter takes the form of a series of primitive expressions connected by and/or and optionally preceded by not: [not] primitive [and|or [not] primitive ...] When: • Primitive is the basic condition • Logical and/or can be used • Not can be used to negate the condition Primitives are: [src|dst] host <host> This primitive allows you to filter on a host IP address or name. You can optionally precede the primitive with the keyword src|dst to specify that you are only interested in source or destination addresses. If these are not present, packets where the specified address appears as either the source or the destination address will be selected. ether [src|dst] host <ehost> This primitive allows you to filter on Ethernet host addresses. You can optionally include the keyword src|dst between the keywords ether and host to specify that you are only interested in source or destination addresses. If these are not present, packets where the specified address appears in either the source or destination address will be
  • 38. yoram@ndi-com.comPage ›#‹ Network Troubleshooting Using Wireshark (Brief) January 2018 selected. gateway host <host> This primitive allows you to filter on packets that used host as a gateway. That is, where the Ethernet source or destination was host but neither the source nor destination IP address was host. [src|dst] net <net> [{mask <mask>}|{len <len>}] This primitive allows you to filter on network numbers. You can optionally precede this primitive with the keyword src|dst to specify that you are only interested in a source or destination network. If neither of these are present, packets will be selected that have the specified network in either the source or destination address. In addition, you can specify either the netmask or the CIDR prefix for the network if they are different from your own. [tcp|udp] [src|dst] port <port> This primitive allows you to filter on TCP and UDP port numbers. You can optionally precede this primitive with the keywords src|dst and tcp|udp which allow you to specify that you are only interested in source or destination ports and TCP or UDP packets respectively. The keywords tcp|udp must appear before src|dst. If these are not specified, packets will be selected for both the TCP and UDP protocols and when the specified address appears in either the source or destination port field. less|greater <length> This primitive allows you to filter on packets whose length was less than or equal to the specified length, or greater than or equal to the specified length, respectively. ip|ether proto <protocol> This primitive allows you to filter on the specified protocol at either the Ethernet layer or the IP layer. ether|ip broadcast|multicast This primitive allows you to filter on either Ethernet or IP broadcasts or multicasts. <expr> relop <expr> This primitive allows you to create complex filter expressions that select bytes or ranges of bytes in packets. Please see the tcpdump man page at http://www.tcpdump.org/tcpdump_man.html for more details.
  • 39. yoram@ndi-com.comPage 36 Network Troubleshooting Using Wireshark (Brief) January 2018 Examples: host 10.10.10.10 Capture all packets to and from 10.10.10.10 src host 10.10.10.10 Capture all packets where 10.10.10.10 is the source dst host 10.10.10.10 Capture all packets where 10.10.10.10 is the destination
  • 40. yoram@ndi-com.comPage 37 Network Troubleshooting Using Wireshark (Brief) January 2018 For port numbers, we can configure: • The filter port with a port number, for example port 80 to all packets to and from port 80, that is http. • The filter src port with a port number, for example src port 80 to all packets from port 80, that is http. • The filter dst port with a port number, for example dst port 80 to all packets to port 80, that is http.
  • 41. yoram@ndi-com.comPage 38 Network Troubleshooting Using Wireshark (Brief) January 2018 For network addresses we can configure the following filters: • The filter net with the network address, presented in a network address and number of bits of the mask, for example net 192.168.1.0/24 for the class-C address 192.168.1.0 • For source network we configure the filter src net and the source network address in the same format, for example src net 192.168.1.0/24 • For destination network we configure the filter dst net and the destination network address in the same format, for example dst net 192.168.1.0/24
  • 42. yoram@ndi-com.comPage 39 Network Troubleshooting Using Wireshark (Brief) January 2018 More examples: tcp dst port 3128 Displays packets with destination TCP port 3128. ip src host 10.1.1.1 Displays packets with source IP address equals to 10.1.1.1. host 10.1.2.3 Displays packets with source or destination IP address equals to 10.1.1.1. src portrange 2000-2500 Displays packets with source UDP or TCP ports in the 2000-2500 range. not imcp Displays everything except icmp packets. (icmp is typically used by the ping tool) src host 10.7.2.12 and not dst net 10.200.0.0/16 Displays packets with source IP address equals to 10.7.2.12 and in the same time not with the destination IP network 10.200.0.0/16. (src host 10.4.1.12 or src net 10.6.0.0/16) and tcp dst portrange 200-10000 and dst net 10.0.0.0/8 Displays packets with source IP address 10.4.1.12 or source network 10.6.0.0/16, the result is then concatenated with packets having destination TCP portrange from 200 to 10000 and destination IP network 10.0.0.0/8.
  • 43. yoram@ndi-com.comPage 40 Network Troubleshooting Using Wireshark (Brief) January 2018 Compound filters can be used for example for: • Specific traffic that we are interesting in to a specific port on a specific server or servers • Specific traffic from/to specific network(s) And many other possibilities.
  • 44. yoram@ndi-com.comPage 41 Network Troubleshooting Using Wireshark (Brief) January 2018 Capture only Ethernet type EAPOL: • ether proto 0x888e Capture only IP traffic - the shortest filter, but sometimes very useful to get rid of lower layer protocols like ARP and STP: • ip Capture only unicast traffic - useful to get rid of noise on the network if you only want to see traffic to and from your machine, not, for example, broadcast and multicast announcements: • not broadcast and not multicast
  • 45. yoram@ndi-com.comPage 42 Network Troubleshooting Using Wireshark (Brief) January 2018 The first way to configure display filters is to click the “Expression…” button to the right of the display filter tab. You click on it and the display filter expression window opens. The first way to configure display filters is to click the “Expression…” button to the right of the display filter tab. You click on it and the display filter expression window opens. In this window you have the following parts: • The field name, in which you choose the filter. You can scroll down to the protocol and then double-click on it and all the filters under this protocol will be opened. • In the search tab bellow the field name you can search for a filter string. For example, if you search for “retransmission” TCP is open, presenting you all possible “retransmission” filters. • In the “Relation” part of this window you choose if the display filter should be present, equal or not-equal, greater or smaller then, greater and equal, smaller or
  • 46. yoram@ndi-com.comPage ›#‹ Network Troubleshooting Using Wireshark (Brief) January 2018 equal to. Contains or matches a specific value that you write in the value field. • In some cases, for example with TCP Flags, you can choose if a flag is present or not, and then the “preferred values” window will light on and you will be able to choose a value, in the case of TCP flags it will “Set” or “Not Set” You can choose here many values, many of them added in version two of the software.
  • 47. yoram@ndi-com.comPage 43 Network Troubleshooting Using Wireshark (Brief) January 2018 Another way to use the display filter is simply to write the filter string in the filter tab. Auto-complete is enabled here, so after getting use to the display filters syntax, this is quite a good way to use them. To use the filter expression: 1. Write the expression you want to use 2. Apply the filter string. You can also use <Enter> 3. From the scroll-down arrow you can choose previously-defined filters 4. To edit filter expression use the button to the left of the display filter tab. It will take you to the preferences windows. You will see this in the next slide.
  • 48. yoram@ndi-com.comPage 44 Network Troubleshooting Using Wireshark (Brief) January 2018 The last and easiest way is to go to the packet details pane, right-click on the field you want to filter and choose: 1. Apply as filter or 2. Prepare a filter In each one of them you can choose “the selected filter”, “Not the selected filter”, the “selected filter and” the “selected filter or” and so on. The only thing you have to do is to choose which field in the packet of the protocol you want to monitor and choose it.
  • 49. yoram@ndi-com.comPage 45 Network Troubleshooting Using Wireshark (Brief) January 2018 In this section we talk about the principles of network troubleshooting.
  • 50. yoram@ndi-com.comPage 46 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 51. yoram@ndi-com.comPage 47 Network Troubleshooting Using Wireshark (Brief) January 2018 The first example was a disector problem. The Second one was a bad LAN switch.
  • 52. yoram@ndi-com.comPage 48 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 53. yoram@ndi-com.comPage 49 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 54. yoram@ndi-com.comPage 50 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 55. yoram@ndi-com.comPage 51 Network Troubleshooting Using Wireshark (Brief) January 2018 In this section we talk about the principles of network troubleshooting.
  • 56. yoram@ndi-com.comPage 52 Network Troubleshooting Using Wireshark (Brief) January 2018 The conversations window presents statistics about: • Ethernet addresses • IPv4 and IPv6 addresses • TCP and UDP port numbers • Additional session parameters that can be added in conversation types, down- right the window. In example 6.1 we see: • When we choose the IPv4 tab and click on the tab to sort by the number of packets, we see nearly five thousands packets between 172.20.0.10 to 172.30.0.22 Down to the left of the window you can mark the checkboxes: • Name resolution: for translating MAC addresses, IP addresses and TCP/UDP port numbers. Name resolution have to be configured in the main window (from the view window)
  • 57. yoram@ndi-com.comPage ›#‹ Network Troubleshooting Using Wireshark (Brief) January 2018 • Limit to display filter: for displaying only what is configures in the display filter
  • 58. yoram@ndi-com.comPage 53 Network Troubleshooting Using Wireshark (Brief) January 2018 To check what is exactly running between the two hosts and click on the TCP tab, and we see that two TCP connections are opened: • From port 57604 to 445, that is SMB • From port 58479 also to 445, again SMB connection To look for other session that are not TCP we simply click on the UDP tab and we see in this case nearly 800 packets from 0.0.0.0 to 172.30.0.0 To see what they are we right click on this line, choose apply a filter, and we see that these are Checkpoint High Availability packets that are sent between Checkpoint firewalls.
  • 59. yoram@ndi-com.comPage 54 Network Troubleshooting Using Wireshark (Brief) January 2018 In this second example, we see more that 137,000 packets in 61 seconds. All SMB packets sent to 172.30.0.10 We’ll get back to this example in the SMB and NetBIOS chapters.
  • 60. yoram@ndi-com.comPage 55 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 61. yoram@ndi-com.comPage 56 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 62. yoram@ndi-com.comPage 57 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 63. yoram@ndi-com.comPage 58 Network Troubleshooting Using Wireshark (Brief) January 2018 A network endpoint is the logical endpoint of separate protocol traffic of a specific protocol layer. The endpoint statistics of Wireshark will take the following endpoints into account: Ethernet: an Ethernet endpoint is identical to the Ethernet's MAC address. IPv4: an IPv4 endpoint is identical to its IP address. IPv6: an IPv6 endpoint is identical to its IP address. TCP: a TCP endpoint is a combination of the IP address and the TCP port used, so different TCP ports on the same IP address are different TCP endpoints. UDP: a UDP endpoint is a combination of the IP address and the UDP port used, so different UDP ports on the same IP address are different UDP endpoints. Like in the conversation window you can configure here to resolve addresses or to limit the information on the window to the pre-configured display filter.
  • 64. yoram@ndi-com.comPage 59 Network Troubleshooting Using Wireshark (Brief) January 2018 In this example, you see the end-points example when: • On the Ethernet tab, majority of the packets goes to two Juniper devices. These can be routers, layer 3 switches or Firewalls. • On the IP tab, we see that majority of the traffic goes to 172.16.20.20, that is the network router, and a lot of traffic also comes from 10.100.1.63, which is a simple client at one of the network sites. Don’t forget that the information you see is limited to the capture time, so if like here you see a load from a specific client, it can be because of that the client had coincidently perform some operation during the capture period.
  • 65. yoram@ndi-com.comPage 60 Network Troubleshooting Using Wireshark (Brief) January 2018 In this section we talk about the principles of network troubleshooting.
  • 66. yoram@ndi-com.comPage 61 Network Troubleshooting Using Wireshark (Brief) January 2018 The IO Graph is one of the important features of Wireshark. Using the IO graphs, with filters when required, shows a clear picture of network traffic and possible problems. You can add graphs or delete them clicking on the (+) or (-) tabs. You can also change mouse options: • Drag is used for changing graph position • Zooms is used to zoom in or out of the graph You can also change: • The time interval, increase or decrease it • Change the Y-Axis scale from linear to logarithmic
  • 67. yoram@ndi-com.comPage 62 Network Troubleshooting Using Wireshark (Brief) January 2018 When looking at the graphs, at the lower window we can see: • Name: name given to the filter • Filter: a display filter for this graph (only the packets that pass this filter will be taken into account for this graph) • Color: the color of the graph (cannot be changed) • Style: the style of the graph: Line, Impulse, FBar, Dot, Stacked bar, Dots, Squares, Diamonds • Y field: what will be configured on the Y-Axis • Smoothing: Smoothing the Y-Axis graph Important thing is that in the Y Axis can be configured to bits/s, Bytes/s, Packets/s and other parameters that are not time-related. We’ll talk about it later in this lesson.
  • 68. yoram@ndi-com.comPage 63 Network Troubleshooting Using Wireshark (Brief) January 2018 To see the traffic graph of a specific stream: • To view all data streams ,use the Conversations tool, from the statistics menu. In the conversations window, we choose the stream with the highest amount of packets to see how it loads the line we monitor • Open the IO graph window, and copy the display filter string to a new graph. What you see is the amount of traffic of the specific stream. In our example, we see that the specific stream that we filtered has 60-70 packets/second, while the peaks comes from other traffic.
  • 69. yoram@ndi-com.comPage 64 Network Troubleshooting Using Wireshark (Brief) January 2018 We go deeper into the stream, and try to figure out where does the peaks come from.
  • 70. yoram@ndi-com.comPage 65 Network Troubleshooting Using Wireshark (Brief) January 2018 Here we see that the red line of the filtered graph and the black line of all the traffic overlaps, so we found the session that generated the peaks. In the protocols lessons later in the next course we will see how to find what exactly generated these peaks.
  • 71. yoram@ndi-com.comPage 66 Network Troubleshooting Using Wireshark (Brief) January 2018 Here we se that if we want to see the traffic pattern of the two heaviest flows in this capture file: • We use the statistics – conversations window to figure out what are these flows are • That we add two additional graphs, with a filters that will show us these graphs • With zooming on the streams we can see how exactly each one of these streams behave
  • 72. yoram@ndi-com.comPage 67 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 73. yoram@ndi-com.comPage 68 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 74. yoram@ndi-com.comPage 69 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 75. yoram@ndi-com.comPage 70 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 76. yoram@ndi-com.comPage 71 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 77. yoram@ndi-com.comPage 72 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 78. yoram@ndi-com.comPage 73 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 79. yoram@ndi-com.comPage 74 Network Troubleshooting Using Wireshark (Brief) January 2018 In this section we talk about the principles of network troubleshooting.
  • 80. yoram@ndi-com.comPage 75 Network Troubleshooting Using Wireshark (Brief) January 2018 There are four types of TCP graphs: •Round Trip Time – shows the round trip time for ACKs over time •Throughput - measures through put using TCP sequence numbers •Time-Sequence (Stevens) - a graph of TCP sequence numbers versus time. This helps us see if traffic is moving along without interruption, packet loss or long delays •Time-Sequence (tcptrace) - a graph of TCP sequence numbers versus time. It also keeps track of the ACK values received from the other endpoint and tracks the receive window advertised from the other endpoint.
  • 81. yoram@ndi-com.comPage 76 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 82. yoram@ndi-com.comPage 77 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 83. yoram@ndi-com.comPage 78 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 84. yoram@ndi-com.comPage 79 Network Troubleshooting Using Wireshark (Brief) January 2018 A few quick items to note: •You can use the ‘i’ key to zoom in at the current mouse position •You can use the ‘o’ key to zoom out from the current mouse position •You can right click hold and drag around the graph •You can left click hold and drag a rectangle to zoom in on a region •You can single left click on a segment or ACK to go to that packet in the pcap (very useful)
  • 85. yoram@ndi-com.comPage 80 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 86. yoram@ndi-com.comPage 81 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 87. yoram@ndi-com.comPage 82 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 88. yoram@ndi-com.comPage 83 Network Troubleshooting Using Wireshark (Brief) January 2018 Rcv Win - indicates the window size of the receiver. Bytes Out – indicates the number of bytes in sent out of the sender A stable receiver window indicate a good receiver behavior. A non-stable behavior, for example a chain-saw, indicates instability or weakness.
  • 89. yoram@ndi-com.comPage 84 Network Troubleshooting Using Wireshark (Brief) January 2018 In this section we talk about the principles of network troubleshooting.
  • 90. yoram@ndi-com.comPage 85 Network Troubleshooting Using Wireshark (Brief) January 2018 If we’ll go back to the OSI-RM definitions, layers 1 and 2 are the LAN and WAN protocols. TCP works on any of them. In layer 3, the protocols that provides end to end connectivity is the IP – Internet Protocol. In parallel to the IP, there are other special purpose protocols, like ICMP (Ping command) ARP (Address Resolution Protocol) and RARP (Reverse ARP) are used for address resolution between layer-2 LAN and layer-3 IP protocols In layer 4 we have two protocols for application connectivity – TCP (Transport Control Protocol) which is a connection-oriented, reliable protocol, and UDP (User Datagram Protocol), which is an unreliable, connection-less protocol. In layers 5 to 7, the “upper layers”, we have two types of protocols: •Those who requires reliability, like FTP, HTTP and others – they work on the top of reliable TCP infrastructure. Of course, working over TCP slows the operation •Those who does not requires reliability, or does require speed – they work on the top of the faster, unreliable UDP.
  • 91. yoram@ndi-com.comPage 86 Network Troubleshooting Using Wireshark (Brief) January 2018 Connection Oriented Reliable TCP YES YES UDP NO NO
  • 92. yoram@ndi-com.comPage 87 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 93. yoram@ndi-com.comPage 88 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 94. yoram@ndi-com.comPage 89 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 95. yoram@ndi-com.comPage 90 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 96. yoram@ndi-com.comPage 91 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 97. yoram@ndi-com.comPage 92 Network Troubleshooting Using Wireshark (Brief) January 2018 Something happens here every 2.5 seconds that causes transmission to hold for this period of time. Lets find out what it might be.
  • 98. yoram@ndi-com.comPage 93 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 99. yoram@ndi-com.comPage 94 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 100. yoram@ndi-com.comPage 95 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 101. yoram@ndi-com.comPage 96 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 102. yoram@ndi-com.comPage 97 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 103. yoram@ndi-com.comPage 98 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 104. yoram@ndi-com.comPage 99 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 105. yoram@ndi-com.comPage 100 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 106. yoram@ndi-com.comPage 101 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 107. yoram@ndi-com.comPage 102 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 108. yoram@ndi-com.comPage 103 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 109. yoram@ndi-com.comPage 104 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 110. yoram@ndi-com.comPage 105 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 111. yoram@ndi-com.comPage 106 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 112. yoram@ndi-com.comPage 107 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 113. yoram@ndi-com.comPage 108 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 114. yoram@ndi-com.comPage 109 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 115. yoram@ndi-com.comPage 110 Network Troubleshooting Using Wireshark (Brief) January 2018 TCP DupACK - Occurs when the same ACK number is seen AND it is lower than the last byte of data sent by the sender. If the receiver detects a gap in the sequence numbers, it will generate a duplicate ACK for each subsequent packet it receives on that connection, until the missing packet is successfully received (retransmitted). DupACK is a clear indication of dropped/missing packets.
  • 116. yoram@ndi-com.comPage 111 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 117. yoram@ndi-com.comPage 112 Network Troubleshooting Using Wireshark (Brief) January 2018 TCP ZeroWindow - Occurs when a receiver advertises a receive window size of zero. This effectively tells the sender to stop sending because the receiver's buffer is full. Indicates a resource issue on the receiver, as the application is not retrieving data from the TCP buffer in a timely manner. TCP ZerowindowProbe - The sender is testing to see if the receiver's zero window condition still exists by sending the next byte of data to elicit an ACK from the receiver. If the window is still zero, the sender will double his timer before probing again. TCP ZeroWindowViolation - The sender has ignored the zero window condition of the receiver and sent additional bytes of data. TCP WindowUpdate - This indicates that the segment was a pure WindowUpdate segment. A WindowUpdate occurs when the application on the receiving side has consumed already received data from the RX buffer causing the TCP layer to send a WindowUpdate to the other side to indicate that there is now more space available in the buffer. Typically seen after a TCP ZeroWindow condition has occurred. Once the application on the receiver retrieves data from the TCP buffer, thereby freeing up space, the receiver should notify the sender that the TCP ZeroWindow condition no longer exists by sending a TCP WindowUpdate that advertises the current window size. TCP WindowFull - This flag is set on segments where the payload data in the segment will completely fill the RX buffer on the host on the other side of the TCP session. The sender, knowing that it has sent enough data to fill the last known RX window size, must now stop sending until at least some of the data is acknowledged (or until the acknowledgement timer for the oldest unacknowledged packet expires). This causes delays in the flow of data between sender and receiver and lowers throughput. When this event occurs, a ZeroWindow condition might occur on the other host and we might see TCP ZeroWindow segments coming back. Do note that this can occur even if no ZeroWindow condition is ever triggered. For example, if the TCP WindowSize is too small to accomodate a high end-to-end latency this will be indicated by TCP WindowFull and in that case there will not be any TCP ZeroWindow indications at all. --- This should be broken out to its own page with a more detailed explanation.
  • 118. yoram@ndi-com.comPage 113 Network Troubleshooting Using Wireshark (Brief) January 2018 In this example, 10.0.52.164 is decreasing the window size --- meaning that it cannot process data received by him on this connection. Eventually, Zero window will appear, and keepalive messages will start in order to maintain this application.
  • 119. yoram@ndi-com.comPage 114 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 120. yoram@ndi-com.comPage 115 Network Troubleshooting Using Wireshark (Brief) January 2018 In this section we talk about the principles of network troubleshooting.
  • 121. yoram@ndi-com.comPage 116 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 122. yoram@ndi-com.comPage 117 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 123. yoram@ndi-com.comPage 118 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 124. yoram@ndi-com.comPage 119 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 125. yoram@ndi-com.comPage 120 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 126. yoram@ndi-com.comPage 121 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 127. yoram@ndi-com.comPage 122 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 128. yoram@ndi-com.comPage 123 Network Troubleshooting Using Wireshark (Brief) January 2018 In this section we talk about the principles of network troubleshooting.
  • 129. yoram@ndi-com.comPage 124 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 130. yoram@ndi-com.comPage 125 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 131. yoram@ndi-com.comPage 126 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 132. yoram@ndi-com.comPage 127 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 133. yoram@ndi-com.comPage 128 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 134. yoram@ndi-com.comPage 129 Network Troubleshooting Using Wireshark (Brief) January 2018 In this section we talk about the principles of network troubleshooting.
  • 135. yoram@ndi-com.comPage 130 Network Troubleshooting Using Wireshark (Brief) January 2018
  • 136. yoram@ndi-com.comPage 131 Network Troubleshooting Using Wireshark (Brief) January 2018