Does opening a packet trace stress you out?
If so, you aren’t alone. Packet analysis is tedious, detailed, and can be very time consuming. Usually captures are taken to troubleshoot issues when the stakes are high and failure to find the problem is not an option. You may even have your boss breathing down your neck, expecting you to miraculously see the smoking gun in a matter of minutes, leaving you to wonder if your job is on the line.
Hey, we’ve all been there.
Packet analysis with Wireshark is an art form that can take a long time to develop. Gaining comfort with trace files starts with some basic steps that can go a long way in helping you find the culprit of your performance or security problem. Here, we will take a look at a couple quick hints that all new Wireshark users should know – but we will definitely leave some for the Intro to Wireshark session at Viavi Sharkweek starting on Monday, November 6th. Register here! https://observer.viavisolutions.com/wireshark-week/
Know the packet path and capture well.
The worst thing you can do is install a copy of Wireshark on a laptop, plug into a regular switch port, hit capture, and pray. First, it is important to know a bit about the problem you are troubleshooting. Get clear answers to these questions before hitting the blue fin:
- Is the problem intermittent or ongoing?
- Is it reproducible?
- Does it impact all applications or just one?
- What users are impacted?
- What time of day does it happen?
- What path do packets take on their way ot the application?
Getting clear answers to these questions will save you a ton of head (and heart) ache when analysis time comes.
Setup your analyzer.
On Wireshark, it is important to create a profile for the application or protocol that you are troubleshooting. This works like a container to hold all your useful columns, timers, colors, and buttons for resolving the issue. Also – make sure to create a Delta Time Displayed column!
Make sure no capture filters are set. (At least initially)
If you make assumptions, you can get in trouble. For example, since Jim is complaining of a problem, it is tempting to set a capture filter for his IP address. That would make sense – but – there are a bunch of other things that could be the root cause that would be filtered out. ARP Traffic, ICMP messages, unusual broadcast activity and a bunch more would be lost to the wire. So be careful to not make assumptions out of the gate.
Learn and get comfortable with common display filters.
Set filters for IP addresses, conversations, port numbers, and response codes. These are the common ones you will need in order to hone in on the problem.
Relax and take your time.
Many times, we can miss a simple issue just because we were in a hurry.
At the Introduction to Wireshark session next week at the Viavi Sharkweek, we will be showing these steps and more, helping you get the comfort you need to move to the next level with Wireshark.
Come join us!
Author Profile - Chris Greer is a Network Analyst for Packet Pioneer LLC and a Certified Wireshark Network Analyst. Chris regularly assists companies in tracking down the source of network and application performance problems using a variety of protocol analysis and monitoring tools including Wireshark. Chris also delivers training and develops technical content for several analysis vendors. Got network problems? Let's get in touch.