Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Network Analysis using Wireshark Cookbook
Network Analysis using Wireshark Cookbook

Network Analysis using Wireshark Cookbook: This book will be a massive ally in troubleshooting your network using Wireshark, the world's most popular analyzer. Over 100 practical recipes provide a focus on real-life situations, helping you resolve your own individual issues.

eBook
€22.99 €32.99
Paperback
€41.99
Subscription
Free Trial
Renews at €18.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Network Analysis using Wireshark Cookbook

Chapter 1. Introducing Wireshark

In this chapter you will learn:

  • Locating Wireshark
  • Starting the capture of data
  • Configuring the start window
  • Using time values and summaries
  • Configuring coloring rules and navigation techniques
  • Saving, printing, and exporting data
  • Configuring the user interface in the Preferences menu
  • Configuring protocols preferences

Introduction

In this chapter, we will cover the basic tasks related to Wireshark. In the Preface of this book, we discussed network troubleshooting and the various tools that can help us in the process. After reaching the conclusion that we need to use the Wireshark protocol analyzer, it's time to locate it for testing in the network, to configure it with basic configurations, and to adapt it to be user friendly.

While setting Wireshark for basic data capture is considered to be very simple and intuitive, there are many options that we can use in special cases; for example, when we capture data continuously over a connection and we want to split the capture file into small files, when we want to see names of the devices participating in the connection and not only IP addresses, and so on. In this chapter we will learn how to configure Wireshark for these special cases.

Another important issue is where to locate Wireshark to capture data. Will it be before a firewall or after it? On which side of the router should we connect it? On the LAN side or on the WAN side? What should we expect to receive in each one of them? All these issues and more will be covered in the Locating Wireshark recipe in this chapter, along with recommendations on how to do it.

Another important issue that will be covered in this chapter is how to configure time values, that is, how you would like Wireshark to present the arrival time of captured packets. This is significantly important when we capture data of time-sensitive applications, when it is important to see the timing of packets inside a TCP connection or a UDP flow.

The next recipe will be on file manipulations, that is, how to save the captured data, whether we want to save the whole of it or part of it, save only filtered data, export that data into various formats, merge files (for example, when you want to merge captured files on two different router interfaces), and so on.

One more issue that will be discussed in this chapter is how to configure coloring rules. That is, how to configure Wireshark to present different packets and protocols in different colors. While Wireshark by default has its coloring scheme, we might want to configure it for special cases, for example, to give a special color to a specific protocol that we monitor or to a specific error or event that we expect. The Configuring coloring rules and navigation techniques recipe discusses these issues.

The last two recipes of the chapter will cover the configuration of the Wireshark preferences. These recipes discuss how to configure the user interface, that is, to configure the Wireshark windows, the columns and what to see in each one of them, text formats, and so on, along with specific protocol configurations; for example, which TCP ports should be resolved by default as a proxy service, whether or not to validate a protocol checksum, whether or not to calculate TCP timestamps, how to decode fields in the protocol header, and so on.

Locating Wireshark

After understanding the problem and deciding to use Wireshark, the first step would be to decide where to locate it. For this purpose, we need to have a precise network diagram (at least the part of the network that is relevant to our test).

The principle is to locate the device that you want to monitor, connect your laptop to the same switch that it is connected to, and configure a port mirror or monitor to the monitored device. This operation enables you to see all traffic coming in and out of the monitored device.

You can monitor a LAN port, WAN port, server or router port, or any other device connected to the network.

Locating Wireshark

In the preceding diagram, the Wireshark software (installed on the PC on the left) and the port mirror, also called port monitor (configured on the switch in the direction as in the diagram), will monitor all the traffic coming in and out of server S2. Of course, we can also install Wireshark directly on the server itself, and by doing so, we will be able to watch the traffic directly on the server.

Some LAN switch vendors also enable other features such as:

  • Monitoring a whole VLAN: We can monitor a server's VLAN, Telephony VLAN, and so on. In this case you will see all the traffic on a specific VLAN.
  • Monitoring several ports to a single analyzer: We can monitor traffic on servers S1 and S2 together.
  • Filtering: Filtering means choosing and accordingly configuring whether to monitor incoming traffic, outgoing traffic, or both.

Getting ready

To start working with Wireshark, go to the the Wireshark website, and download the latest version of the tool.

An updated version of Wireshark can be found on the website at http://www.wireshark.org/, under the Download heading. Download the latest Wireshark stable release that is available at http://www.wireshark.org/download.html.

Each Wireshark Windows package comes with the latest stable release of WinPcap, which is required for live packet capture. The WinPcap driver is a Windows version of the UNIX Libpcap library for traffic capture.

How to do it...

Let's take a look at the typical network architecture and network devices, how they work, how to configure them when required, and where to locate Wireshark.

How to do it...

Let's have a look at the simple and common network architecture in the preceding diagram.

Monitoring a server

This will be one of the most common requirements that we will have. It can be done by either configuring the port monitor to the server (numbered as 1 in the preceding diagram), or installing Wireshark on the server itself.

Monitoring a router

In order to monitor a router, we can monitor a LAN port (numbered as 2 and 6 in the preceding diagram), or a WAN port (numbered as 5 in the preceding diagram). To monitor a LAN port is easy—simply configure the port monitor to the port you wish to monitor. In order to monitor a WAN port, you can connect a switch between the router port and the Service Provider (SP) network, and configure the port monitor on this switch, as in the following illustration.

Monitoring a router

Connecting a switch between the router and the service provider is an operation that breaks the connection; however, when you prepare for it, it should take less than a minute.

When monitoring a router, don't forget—not all packets coming in to a router will be forwarded. Some packets can be lost, dropped on the router buffers, or routed back on the same port that they came in from.

Two additional devices that you can use are TAPs and Hubs.

  • TAPs: Instead of connecting a switch on the link you wish to monitor, you can connect a device called Test Access Point (TAP), which is a simple three-port device that, in this case, will play the same role as that of the switch. The advantage of a TAP over a switch is its simplicity and price. TAPs also forward errors that can be monitored on Wireshark, unlike a LAN switch that drops them. Switches, on the other hand, are much more expensive, take a few minutes to configure, but provide you with additional monitoring capabilities, for example, Simple Network Management Protocol (SNMP). When you troubleshoot a network, it is better to have an available managed LAN switch, even a simple one.
  • Hubs: You can simply connect a hub in parallel to the link you want to monitor, and since a hub is a half-duplex device, every packet sent between the router and the SP device will be watched on your Wireshark. The biggest con of this method is that the hub itself slows the traffic, and it therefore influences the test. In many cases you also want to monitor 1 Gbps ports, and since there is no hub available for this, you will have to reduce the speed to 100 Mbps, which again will influence the traffic. Therefore, hubs are not commonly used.

Monitoring a firewall

When monitoring a firewall, it differs depending on whether you monitor the internal port (numbered 3 in the diagram) or the external port (numbered 4 in the diagram). On the internal port you will see all the internal addresses and all traffic initiated by the users working in the internal network, while on the external port you will see the external addresses that we go out with (translated by NAT from the internal addresses); you will not see requests from the internal network that were blocked by the firewall. If someone is attacking the firewall from the Internet, you will see it (hopefully) only on the external port.

How it works...

To understand how the port monitor works, it is first important to understand the way that a LAN switch works. A LAN switch forwards packets in the following way:

  1. The LAN switch continuously learns about the MAC addresses of the devices connected to it.
  2. Now, if a packet is sent to a destination MAC, it will be forwarded only to the physical port that the switch knows this MAC address is coming from.
  3. If a broadcast is sent, it will be forwarded to all the ports of the switch.
  4. If a multicast is sent and Cisco Group Management Protocol (CGMP) or Internet Group Management Protocol (IGMP) is disabled, it will be forwarded to all the ports of the switch (CGMP and IGMP are protocols that enable multicast packets to be forwarded only to devices on a specific multicast group).
  5. If a packet is sent to a MAC address that the switch does not know about (which is a very rare case), it will be forwarded to all the ports of the switch.

Therefore, when you configure a port monitor to a specific port, you will see all the traffic coming in and out of it. If you connect your laptop to the network, without configuring anything, you will see only the traffic coming in and out of your laptop, along with broadcasts and multicasts from the network.

There's more...

When capturing data, there are some tricky scenarios that you should be aware of.

One such scenario is monitoring a VLAN. When monitoring a VLAN, you should be aware of several important issues. The first issue is that even when you monitor a VLAN, the packet must physically be transferred through the switch you are connected to, in order to see it. If, for example, you monitor VLAN-10 that is configured across the network, and you are connected to your floor switch, you will not see the traffic that goes from other switches to the servers on the central switch.

This is because when building a network, the users are usually connected to floor switches in single or multiple locations in the floor, that are connected to the building central switch (or two redundant switches). For monitoring all traffic on a VLAN, you have to connect to a switch on which all traffic of the VLAN goes through, and this is usually the central switch.

There's more...

In the preceding diagram, if you connect Wireshark to Switch SW2, and configure a monitor to VLAN30, you will see all the packets coming in and out of P2, P4, and P5, inside or outside the switch. You will not see packets transferred between devices on SW3 and SW1, or packets between SW1 and SW3.

Another issue when monitoring a VLAN is that you might see duplicate packets. This is because when you monitor a VLAN, and packets are going in and out of the VLAN, you will see the same packet when it is comes in, and then when it goes out of the VLAN.

You can see the reason in the following illustration. When, for example, S4 sends a packet to S2, and you configure the port mirror to VLAN30, you will see the packet once when sent from S4 passing through the switch and entering the VLAN30, and then when leaving VLAN30 and coming to S2.

There's more...

See also

For information on how to configure the port mirror, refer to the vendor's instructions. It can be called port monitor, port mirror, or SPAN (Switched Port Analyzer from Cisco).

There are also advanced features such as remote monitoring (monitoring a port that is not directly connected to your switch), advanced filtering (such as filtering specific MAC addresses), and so on. There are also advanced switches that have capture and analysis capabilities on the switch itself. It is also possible to monitor virtual ports (for example, LAG or Ether channel groups). For all cases, refer to the vendor's specifications.

Starting the capture of data

In this recipe, we will learn how to start capturing data, and what we will get in various capture scenarios, after we have located Wireshark in the network.

Getting ready

After you install Wireshark on your computer, the only thing to do will be to start the analyzer from the desktop, program files, or the quick start bar.

When you do so, the following window will be opened (Version 1.10.2):

Getting ready

How to do it...

You can start the capture from the upper bar Capture menu, or from the quick-launch bar with the capture symbol, or from the center-left capture window on the Wireshark main screen. There are options that you can choose from.

How to choose the interface to start the capture

If you simply click on the green icon, third to the right, in Wireshark and start the capture, Wireshark will start the capture on the default interface as configured in the software (explained later in the chapter in the recipe Configuring the user interface in the Preferences menu). In order to choose the interface you want to capture on, click on the List the available capture interfaces symbol, and the Wireshark Capture Interfaces window will open.

How to choose the interface to start the capture

The best way to see which interface is active is simply to look at the right of the window of the interface on which you see the traffic running. There you will see the number of total Packets seen by Wireshark, and the number of Packets/sec in each interface.

How to choose the interface to start the capture

In Wireshark Version 1.10.2 and above, you can choose one or more interfaces for the capture. This can be helpful in many cases; for example, when you have multiple physical NICs, you can monitor the port on two different servers, two ports of a router, or other multiple ports at the same time. A typical configuration is seen in the following screenshot:

How to choose the interface to start the capture

How to configure the interface you capture data from

To configure the interface you capture data from, choose Options from the Capture menu. The following window will appear:

How to configure the interface you capture data from

In the preceding window you can configure the following parameters:

  1. On the upper side of the window, choose the interface you want to capture the data from.
  2. On the left side of the window, you have the checkbox Use promiscuous mode on all interfaces. When checked, Wireshark will capture all the packets that the computer receives. Unchecking it will capture only packets intended for the computer.
  3. In some cases, when this checkbox is checked, Wireshark will not capture data in the wireless interface; so if you start capturing data on the wireless interface and see nothing, uncheck it.
  4. On the mid-left area of the window, you have the Capture Files field. You can write a file name here, and Wireshark will save the captured file under this name, with extensions 0001, 0002, and so on under the path you specify. This feature is extremely important when capturing a large amount of data; for example, when capturing data over a heavily-loaded interface, or over a long period of time. You can tell the software to open a new file after a specific interval of time, file size, or number of packets.
  5. On the bottom left of the window, you have the area marked as Stop Capture Automatically in the preceding screenshot. In this area, you can tell the software to stop capturing data after a specific interval of time, file size, or number of packets.
  6. On the mid-right area of the window, you can change the Display option and select the checkboxes Update list of packets in real time, Automatically scroll during live capture, and Hide capture info dialog, which close the annoying capture window (a pop up that appears the moment you start capture). In most of the cases you don't have to change anything here.
  7. On the bottom right of the window, you configure the resolving options for MAC addresses, IP DNS names, and TCP/UDP port numbers. The last checkbox, Use external network name resolver, uses the system's configured name resolver (in most of the cases, DNS), to resolve network names.

How it works...

Here the answer is very simple. When Wireshark is connected to a wired or wireless network, there is a software driver that is located between the physical or wireless interface and the capture engine. In Windows we have the WinPcap driver, in Unix platforms the Libpcap driver, and for wireless interfaces we have the AirPcap driver.

There's more...

In cases where the capture time is important, and you wish to capture data on one interface or more, and be time-synchronized with the server you are monitoring, you can use Network Time Protocol (NTP) to synchronize your Wireshark and the monitored servers with a central time source.

This is important in cases when you want to go through the Wireshark capture file in parallel to a server logfile, and look for events that are shown on both. For example, if you see retransmissions in the capture file at the same time as a server or application error on the monitored server, you will know that the retransmissions are because of server errors and not because of the network.

The Wireshark software takes its time from the OS clock (Windows, Linux, and so on) For configuring the OS to work with a time server, go to the relevant manuals of the operating system that you work with.

In Microsoft Windows7, configure it as follows:

  1. Go the Control Panel.
  2. Choose Clock, Language, and Region.
  3. Under Date and Time, Choose Set the time and date and change to the Internet time tab.
  4. Click on the Change Settings button.
  5. Change the server name or the IP address.

Note

In Microsoft Windows7 and later versions, there is a default setting for the time server. As long as all devices are tuned to it, you can use it as any other time server.

NTP is a network protocol used for time synchronization. When you configure your network devices (routers, switches, FWs, and so on) and servers to the same time source, they will be time synchronized to this source. The accuracy of the synchronization depends on the accuracy of the time server that is measured in levels or stratums. The higher the level, the more accurate it will be. Level 1 is the highest. Usually you will have levels 2 to 4.

NTP was first standardized in RFC 1059 (NTPv1), and then in RFC 1119 (NTPv2); the common versions in the last years are NTPv3 (RFC1305) and NTPv4 (RFC 5905).

You can get a list of NTP servers on various web sites, among them http://support.ntp.org/bin/view/Servers/StratumOneTimeServers and

http://wpollock.com/AUnix2/NTPstratum1PublicServers.htm.

See also

You can get more information about Pcap drivers at:

Configuring the start window

In this recipe we will see some basic configurations for the start window. We will talk about configuring the main window, file formats, and viewing options.

Getting ready

Start Wireshark, and you will get the start window. There are several parameters you can change here in order to adapt the capture window to meet your requirements:

  • Toolbars configuration
  • Main window configuration
  • Time format configuration
  • Name resolution
  • Colorize packet list
  • Auto scroll in live capture
  • Zoom
  • Columns configuration
  • Coloring rules

First, let's have a look at the toolbars that are used by the software:

Getting ready

For operations with the other toolbars as follows, which are covered in the coming subsections in this recipe:

  • Main Toolbar
  • Display Filter Toolbar
  • Status Bar

Main Toolbar

In the main toolbar you have the icons shown in the following screenshot:

Main Toolbar

The five leftmost symbols are for capture operations, then you have symbols for file operations, zoom and "go to packet" operations, colorize and auto-scroll, zoom and resize, filters, preferences, and help.

Display Filter Toolbar

In the filter toolbar, you have the following fields:

Display Filter Toolbar

Status Bar

In the status bar on the lower side of the Wireshark window, you can see the data shown in the following screenshot:

Status Bar

In the preceding screenshot you can see the following:

  • Errors in the expert system
  • The option to add a comment to the file
  • The name of the captured file (during capture, it will show you a temporary name assigned by the software)
  • Total number of captured packets, displayed packets (those which are actually displayed on the screen), and marked packets (those that you have marked).

How to do it...

In this part we will go step by step and configure the main menu.

Configuring toolbars

Usually for regular packet capture, you don't have to change anything. This is different when you want to capture wireless data over the network (not only from your laptop); you will have to enable the wireless toolbar, and this will be done by clicking on it under the view menu, as shown in the following screenshot:

Configuring toolbars

Configuring the main window

To configure the main menu for capturing, you can configure Wireshark to show the following windows:

Configuring the main window

In most of the cases you will not need to change anything here. In some cases, you can cancel the packet bytes when you don't need to see them, and you will get more "space" for the packet list and details.

Name Resolution

Name Resolution is the translation of layer 2 (MAC addresses), layer 3 (IP addresses), and layer 4 (Port numbers) into meaningful information.

Name Resolution

In the preceding screenshot, we see the MAC address 60:d8:19:c7:8e:73 (from Hon Hai Precision Ind., used by Lenovo), the website (that is, Packtpub.com), and the HTTP port number (that is 80).

Colorizing the packet list

Usually you start a capture in order to establish a baseline profile of what normal traffic looks like on your network. During the capture, you look at the captured data and you might find a TCP connection, IP or Ethernet connectivity that are suspects, and you want to see them in another color.

To do so, right-click on the packet that belongs to the conversation you want to color, choose Ethernet, IP, or TCP/UDP (the appearance of TCP or UDP will depend on the packet), and choose the color for the conversation.

In the example you see that we want to color a Transport Layer Security (TLS) conversation.

Colorizing the packet list

For canceling the coloring rule:

  1. Go to the View menu.
  2. In the lower part of the menu, choose Reset Coloring 1-10 or simply click on Ctrl + Space bar.

Auto scrolling in live capture

To configure Wireshark to auto-scroll the packets as it captures them, do the following:

  1. Go to the View menu.
  2. Mark the Auto Scroll in Live Capture item.
  3. Zoom

For zooming in and out:

  1. Go to the View menu.
  2. Click on Zoom In or press Ctrl + + to zoom in.
  3. Click on Zoom Out or press Ctrl + - to zoom out.

Using time values and summaries

Time format configuration is about how the time column (second from the left on default configuration) will be presented. In some scenarios, there is a significant importance given to this; for example, in TCP connections that you want to see time intervals between packets, when you capture data from several sources and you want to see the exact time of every packet, and so on.

Getting ready

To configure the time format, go to the View menu, and under Time Display Format you will get the following window:

Getting ready

How to do it...

You can chose from the following options:

  • Date and Time of Day (the first two options): This will be good to configure when you troubleshoot a network with time-dependent events, for example, when you know about an event that happens at specific times, and you want to look at what happens on the network at the same time.
  • Seconds Since Epoch: Time in seconds since January 1, 1970. Epoch is an arbitrary date chosen as a reference time for a system, and January 1, 1970 was chosen for Unix and Unix-like systems.
  • Seconds Since Beginning of Capture: The default configuration.
  • Seconds Since Previous Captured Packet: This is also a common feature that enables you to see time differences between packets. This can be useful when monitoring time-sensitive traffic (when time differences between packets is important), such as TCP connections, live video streaming, VoIP calls, and so on.
  • Seconds Since Previous Displayed Packet: This is a useful feature that can be used when you configure a display filter, and only a selected part of the captured data is presented (for example, a TCP stream). In this case, you will see the time difference between packets that can be important in some applications.
  • UTC Date and Time of Day: Provides us with relative UTC time.

The lower part of the submenu provides the format of the time display. Change it only if a more accurate measurement is required.

You can also use Ctrl + Alt + any numbered digit key on the keyboard for the various options.

How it works...

This is quite simple. Wireshark works on the system clock and presents the time as it is in the system. By default you see the time since the beginning of capture.

Configuring coloring rules and navigation techniques

Coloring rules define how Wireshark will color protocols and events in the captured data. Working with the coloring rules will help you a lot with network troubleshooting, since you are able to see different protocols in different colors, and you can also configure different colors for different events.

Coloring rules enable you to configure new coloring rules according to various filters. It will help you to configure different coloring schemes for different scenarios and save them in different profiles. In this way you can configure coloring rules for resolving TCP issues, rules for resolving Sip and Telephony problems, and so on.

Tip

You can configure Wireshark Profiles in order to save Wireshark configuration; for example, predefined colors, filters, and so on. To do so, navigate to Configuration Profiles from the Edit menu.

Getting ready

To start with the coloring rules, proceed as follows:

  1. Go to the View menu.
  2. On the lower part of the menu, choose Coloring Rules. You will get the following window:
    Getting ready

How to do it...

We will now move on to the coloring rules:

Click on the New button, and you will get the following window:

How to do it...

In order to configure a new coloring rule, follow these steps:

  1. In the Name field, fill in the name of the rule. For example, fill in NTP for the Network Time Protocol.
  2. In the String field, fill in the filter string, that is, what you want the rule to show (we will talk about display filters in Chapter 3, Using Display Filters). You can click on the expression button and get a list of preconfigured filters.
  3. Click on the Foreground Color button and choose the foreground color for the rule. This will be the foreground color of the packet in the packet list.
  4. Click on the Background Color button and choose the background color for the rule. This will be the background color of the packet in the packet list.
  5. Click on the Edit button if you want to edit an existing rule. You can also either click on the Import button to import an existing coloring scheme, or click on the Export rule for exporting the current scheme.

Tip

There is an importance to the order of the coloring rules. Make sure the order that the coloring rules are in is the order of implementation. For example, application layer protocols should come before TCP or UDP, so that Wireshark colors them in their color and not the regular TCP or UDP color.

How it works...

Like many operations in Wireshark, you can configure various operations on the data that is filtered. The coloring rules mechanism simply applies a coloring rule to a predefined filter.

See also

You can find various types of coloring schemes at http://wiki.wireshark.org/ColoringRules, along with many other examples, in a simple Internet search.

Saving, printing, and exporting data

In this recipe we will talk about file operations such as save, export, print, and others.

Getting ready

Start Wireshark or open a saved file.

How to do it...

We can save a whole file, and export specific data in various formats and file types. In the following paragraphs we will see how to do it.

To save a whole file with captured data, perform the following steps:

  1. In the File menu, click on Save (or press Ctrl + S) for saving the file with its own name.
  2. In the File menu, click on Save as (or press Shift + Ctrl + S) for saving the file with a new name.

For saving a part of a file, for example, only the displayed data:

  1. Navigate to Export Specified Packets under the File menu. You will get the following window:
    How to do it...
  2. At the bottom-left side of the window, you will see that you can choose which part of the data you want to save.
  3. For saving all the captured data, select All packets and Captured.
  4. For saving only the displayed data, choose All packets and Displayed.
  5. For saving only selected packets from the file (a selected packet is simply a packet that you clicked on), choose Selected packet.
  6. For saving marked packets (that is, packets that were marked by right-clicking on it in the packet list window, and choosing the Marked packet toggle from the menu), choose Marked packet.
  7. For saving packets between two marked packets select the First to last marked option.
  8. For saving a range of packets, select Range and specify the range of packets you want to save.
  9. In the packet list window, you can manually choose to ignore a packet. In the Export window you can choose to ignore these packets and not save them.

In all the options mentioned, you can choose the packets from the entire captured file, or from the packets displayed on the screen (packets displayed on the packet list after a displayed filter has been applied).

Saving data in various formats

You can save the data captured by Wireshark in various formats, for further analysis with other tools.

You can save the file in the following formats:

  • Plain text (*.txt): export packet data into a plain text ASCII file.
  • PostScript (*.ps): export packet data into PostScript format.
  • Comma Separated Values: Packet Summary (*.csv): export packet summary into CSV file format, to use it with spreadsheet programs (such as Microsoft Excel).
  • C Arrays to Packet Bytes (*.c): export packet bytes into C-Arrays so that it can be imported by C programs.
  • PSML or XML Packet Summary (*.psml): export packet data into PSML, an XML-based format including only the packet summary. Further details about this format can be found at http://www.nbee.org/doku.php?id=netpdl:psml_specification.
  • PDML - XML Packet Details (*.pdml): export packet data into PDM, an XML-based format including the packet details. Further details about this format can be found at http://www.nbee.org/doku.php?id=netpdl:pdml_specification.

To save the file, select Export Packet Dissections from the File menu, and you will get the following window:

Saving data in various formats

In the preceding screenshot, in the marked box on the left-hand side, you choose the packets you want to save. The process is the same as in the previous recipe. In the marked box on the right-hand side, you choose the format of the file to be saved.

How to print data

In order to print data, click on the Print button from the File menu, and you will get the following window:

How to print data

In the Wireshark Print window, you have the following choices:

  • In the upper window, you choose the file format to be printed
  • In the lower-left window, you choose the packet to print (like in the Export window)
  • In the lower-right window, you choose the format of the printed data, and the data panes to print from the Wireshark window:
    • The Packet Summary pane
    • The Packet Details pane
    • The Packet Byte pane

How it works...

The data can be printed in a text format, postscript (for postscript-aware printers), or to a file. After configuring this window and clicking on print, the regular printing window will appear and you can choose the printer.

Configuring the user interface in the Preferences menu

There are a large number of parameters you can change in the Preferences window, including what data is presented, where files are saved by default, what is the default interface that Wireshark captures data from, and many more.

What we will refer to in this chapter are the common parameters that when changed will help us with various capture scenarios.

Getting ready

For configuring User Interface, we will choose the Preferences option from the Edit menu. You will get the following window:

Getting ready

We will look at the configuration of the following parameters:

  • Columns
  • Capture
  • Name Resolution

How to do it...

In this section we will see how to change parameters that will help in working with Wireshark.

Changing and adding columns

The default columns that we see in the packet pane are the number, time, source and destination addresses, protocol, length, and information columns, as shown in the following screenshot:

Changing and adding columns

To add a new column to the packet pane:

  1. You can choose one of the predefined parameters to be added as a new column from the Field type. Among these parameters are time delta, IP DSCP value, port numbers, and others.
  2. A very important feature comes up when you fill in Custom in the field type. In this case, you can fill in any filter string for Field name. You can, for example, add the following:
    1. Add the string tcp.window_size to view the TCP window size (that influences performance).
    2. Add the string ip.ttl to view the IP TTL (Time-To-Live) parameter of every packet.
    3. Add rtp.marker to view every instance of a marker set in an RTP packet.
    4. As we will see in the later chapters, this feature will assist us a lot for fast resolutions of network problems.

Changing the capture configuration

There are some parameters that can be configured before capturing data. In the Preferences window choose the Capture menu, and the following window will come up:

Changing the capture configuration

For changing the default interface that the capture will start from, just click on the Edit button, and mark the interface you would like to be the default. Of course you can change it every time you start a new capture, this is only the default.

Configuring the name resolution

Wireshark supports Name Resolution in three layers:

  • Layer 2: by resolving the first part of the MAC addresses to the vendor name. For example, 14:da:e9 will be presented as AsusTeckC (ASUSTeK Computer Inc.).
  • Layer 3: by resolving IP addresses to the DNS names. For example, 157.166.226.46 will be resolved to www.edition.cnn.com.
  • Layer 4: by resolving TCP/UDP port numbers to port names. For example, port 80 will be resolved as HTTP, and port 53 as DNS.
Configuring the name resolution

Tip

In TCP and UDP, there is a meaning only to the destination port that the client initially opens the session to. The source port that the connection is opened from is a random number (higher than 1024), and therefore there is no meaning to its translation to a port name.

The Wireshark default is to resolve layer-2 MAC addresses and layer-4 TCP/UDP port numbers. Resolving IP addresses can slow down Wireshark due to a large amount of DNS queries that it uses; therefore, use it carefully.

How it works...

Very simple. This is the configuration menu for the Wireshark. Here you can configure parameters as described in this recipe, along with some other parameters. You can refer to Wireshark manuals at www.wireshark.org for further information.

Configuring protocol preferences

Configuring protocol preferences provides us with capabilities to change the way that Wireshark captures and presents common protocols. In this recipe we will learn how to configure the most common protocols.

Getting ready

  1. Go to Preferences under the Edit menu, and you will see the following window:
    Getting ready
  2. Click on the + sign on the left side of the protocols, and a protocol list will be opened. Under the protocol list you will find the common and lesser-common protocols. In this part we will talk about the common configurations, and we'll get into protocol details in the protocols chapters that is, Chapter 7, Ethernet, LAN Switching, and Wireless LAN, to Chapter 14, Understanding Network Security.

How to do it...

In this recipe, we will talk about the following basic protocols (basic means that they are used everywhere, not that they are simple):

  • IPv4 and IPv6
  • TCP and UDP

Configuring of IPv4 and IPv6 Preferences

When you choose to configure the IPv4 or IPv6 parameters, you will get the following window:

Configuring of IPv4 and IPv6 Preferences

The parameters that you may change are:

  • Decode IPv4 ToS field as DiffServ Field: the original IP protocol came out with a field called Type Of Service (ToS), for enabling the IP quality of service through the network. In the early 90s the Differentiated Services (DiffServ) standard changed the way that an IP device looked on this field. Unchecking this checkbox will show this field as in the original IP standard.
  • Enable GeoIP lookups: GeoIP is a database that enables Wireshark to present IP addresses as geographical locations. Enabling this feature in IPv4 and IPv6 will enable this presentation. This feature involves name resolutions and can therefore slow down packet capture in real time.

Configuring TCP and UDP

In UDP, there is not much to change. A very simple protocol, with a very simple configuration. In TCP on the other hand, there are some parameters that can be changed.

Configuring TCP and UDP

Most of the changes you can do in the TCP preferences are in the way that Wireshark dissects the captured data.

  • Validate the TCP checksum if possible: in some NICs, you may see many "checksum errors". This is due to the fact that TCP Checksum offloading is often being implemented on some NICs. The problem here might be that the NIC actually adds the checksum AFTER Wireshark captures the packet, so if you see many TCP checksum errors, the first thing to do will be to disable this checkbox and verify that this is not the problem.
  • Analyze TCP Sequence numbers: this checkbox must be checked for Wireshark to provide TCP analysis, which is one of its main and most important features.
  • Relative Sequence Numbers: when TCP opens a connection, it starts from a random sequence number. When this checkbox is checked, the Wireshark will normalize it to "0", so what you will see are not the real numbers, but numbers starting from "0" and increasing. In most of the cases the relative numbers are much easier to handle.
  • Calculate conversations timestamps: When checking this checkbox, the TCP dissector will show you the time since the beginning of the connection in every packet. This can be helpful in cases of very fast connection when times are critical.

How it works...

Using the Protocols feature from the Preferences menu adds more analysis capabilities to the Wireshark software. Just be careful here to not add too many capabilities that will slow down the packet capture and analysis.

There's more...

You can get more information on GeoIP at http://wiki.wireshark.org/HowToUseGeoIP.

Left arrow icon Right arrow icon

Key benefits

  • Place Wireshark in the network and configure it for effective network analysis
  • Use Wireshark's powerful statistical tools and expert system for pinpointing network problems
  • Use Wireshark for troubleshooting network performance, applications, and security problems in the network

Description

Is your network slow? Are your users complaining? Disconnections? IP Telephony problems? Video freezes? Network analysis is the process of isolating these problems and fixing them, and Wireshark has long been the most popular network analyzer for achieving this goal. Based on hundreds of solved cases, Network Analysis using Wireshark Cookbook provides you with practical recipes for effective Wireshark network analysis to analyze and troubleshoot your network. "Network analysis using Wireshark Cookbook" highlights the operations of Wireshark as a network analyzer tool. This book provides you with a set of practical recipes to help you solve any problems in your network using a step-by-step approach. "Network analysis using Wireshark Cookbook" starts by discussing the capabilities of Wireshark, such as the statistical tools and the expert system, capture and display filters, and how to use them. The book then guides you through the details of the main networking protocols, that is, Ethernet, LAN switching, and TCP/IP, and then discusses the details of application protocols and their behavior over the network. Among the application protocols that are discussed in the book are standard Internet protocols like HTTP, mail protocols, FTP, and DNS, along with the behavior of databases, terminal server clients, Citrix, and other applications that are common in the IT environment. In a bottom-up troubleshooting approach, the book goes up through the layers of the OSI reference model explaining how to resolve networking problems. The book starts from Ethernet and LAN switching, through IP, and then on to TCP/UDP with a focus on TCP performance problems. It also focuses on WLAN security. Then, we go through application behavior issues including HTTP, mail, DNS, and other common protocols. The book finishes with a look at network forensics and how to search and find security problems that might harm the network.

Who is this book for?

This book is aimed at research and development professionals, engineering and technical support, and IT and communications managers who are using Wireshark for network analysis and troubleshooting. This book requires a basic understanding of networking concepts, but does not require specific and detailed technical knowledge of protocols or vendor implementations.

What you will learn

  • Configure Wireshark for effective network troubleshooting
  • Set up various display and capture filters
  • Use basic statistical tools that provide you with "who is talking" tables, conversations, and HTTP statistics
  • Master both the standard and advanced features of IO graphs
  • Use the expert system to pinpoint various types of events that might influence the behavior of your network
  • Learn about Wi-Fi testing and how to resolve problems related to wireless LANs
  • Explore performance issues in TCP/IP
  • Explore failures due to delays and jitters in the network
  • Find and resolve problems due to bandwidth, throughput, and packet loss
  • Identify and locate faults in communication applications including HTTP, FTP, mail, and various other applications ‚Äì Microsoft OS problems, databases, voice, and video over IP
  • Identify and locate faults in detecting security failures and security breaches in the network

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Dec 24, 2013
Length: 452 pages
Edition : 1st
Language : English
ISBN-13 : 9781849517645
Tools :

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Dec 24, 2013
Length: 452 pages
Edition : 1st
Language : English
ISBN-13 : 9781849517645
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
€18.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
€189.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
€264.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 100.97
Nmap 6: Network Exploration and Security Auditing Cookbook
€37.99
Wireshark Essentials
€20.99
Network Analysis using Wireshark Cookbook
€41.99
Total 100.97 Stars icon
Banner background image

Table of Contents

16 Chapters
1. Introducing Wireshark Chevron down icon Chevron up icon
2. Using Capture Filters Chevron down icon Chevron up icon
3. Using Display Filters Chevron down icon Chevron up icon
4. Using Basic Statistics Tools Chevron down icon Chevron up icon
5. Using Advanced Statistics Tools Chevron down icon Chevron up icon
6. Using the Expert Infos Window Chevron down icon Chevron up icon
7. Ethernet, LAN Switching, and Wireless LAN Chevron down icon Chevron up icon
8. ARP and IP Analysis Chevron down icon Chevron up icon
9. UDP/TCP Analysis Chevron down icon Chevron up icon
10. HTTP and DNS Chevron down icon Chevron up icon
11. Analyzing Enterprise Applications' Behavior Chevron down icon Chevron up icon
12. SIP, Multimedia, and IP Telephony Chevron down icon Chevron up icon
13. Troubleshooting Bandwidth and Delay Problems Chevron down icon Chevron up icon
14. Understanding Network Security Chevron down icon Chevron up icon
A. Links, Tools, and Reading Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.6
(7 Ratings)
5 star 57.1%
4 star 42.9%
3 star 0%
2 star 0%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




jack Mar 21, 2014
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This is definitely a great book to dive in the Wireshark world. It is a good reference for who uses Wireshark for the first time and at the same time it is a good cookbook book for network administrators who often uses the packet analyzer.The book starts of with a general introduction to the traffic analysis and Wireshark in general. The next two section introduce the reader to BPF and display filter, and offer a wide set of practical examples. Then the book dives in the analysis tools in Wireshark and describes what they do and how they work. Once the reader had built up enough knowledge on the different tools, the book goes trough the different stack layers illustrating how to put together filters and tools to solve common network issues on the different layers.One of nice things about this book is that it's self contained, you can read this book without having to look around for other network reference (e.g. protocol headers, SSL handshake, HTTP status code). It's nice to have everything in the same place, especially when you are dealing with the tons of standards and acronyms of the networking world.I enjoyed reading this book and I highly recommended it both to people that are approaching Wireshark for the first time and for people that work with networks and are looking for a great and practical cookbook.
Amazon Verified review Amazon
Chen Heffer Feb 03, 2014
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This important book manage to collaborate all relevant network aspects of both IT and IS in one book.It covers all topics with a comprehensive and deep analysis of the various scenarios. It doesn’t leave you with a question mark, it covers all aspects in every topic it touches.It is written in a methodology that goes from the bottom up. It takes you through the basic information and slowly goes up the scale and build up your knowledge.It doesn't stop in providing the information, it gets you to actually practice what you learned and takes the theory to a hands-on experience. It simply takes you by the hand in gaining the knowledge you need just like if you sit in a class, make your notes and go through actual training practice. It is very rare to get this kind of feeling from technical books.The book is written in a simple language that both professionals and non-professionals can understand and relate to.The material is very well up to date with the latest technical terms and development in the network market.To summarize, this is a very important book for technical network people, IT in general and surprisingly also regulatory and compliance people. It leaves you with the just the right amount of information you need in order to know what the regulations and standards out there talk about, and it makes your technical brain cells work and gives you the appetite to go out there and practice what you just read.
Amazon Verified review Amazon
stefano antoni Mar 13, 2014
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book, in my opinion, is meant for those who wish to enrich their knowledge on wireshark regardless of their current level.The structure of the recipes and the chapters, the widespread use of print screens, the references to web pages which enrich the knowledge of a specific subject, help both the reader without knowledge on wireshark, but also those who have a good knowledge of the instrument .I found it very useful the references to specific cases of actual problems cause they gave me the chance to see not only the use of Wireshark and its instruments, but I also showed me an analytical approach to troubleshooting and very useful in this context the presence of links to sites where you can download analysis programs.After reading this book I most certainly ideas clear on how to carry out the analysis of the problems that I face often at work
Amazon Verified review Amazon
Ricky Dodge Apr 28, 2016
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Great
Amazon Verified review Amazon
W Boudville Feb 23, 2014
Full star icon Full star icon Full star icon Full star icon Empty star icon 4
Orzach offers you a nice detailed book of recipes dealing with many practical network issues. Where the network can be wired or wireless. For the latter, the book deals with WiFi networks which in practice for many of us are the most common form of Internet wireless networks anyway.Wireshark handles much of the tedious low level stuff. Like mapping from a hostname to the underlying IP address and capturing packets that have this address in their source or destination fields. The chapter on Layer 2 filters is as low level as you can get. Note importantly that Wireshark can analyse traffic on both IPv4 and v6 networks. IPv6 is finally starting to become common and Wireshark is already there, with extensive functionality.The book and Wireshark together free you from having to know the detailed formatting of a v4 or v6 packet. The book goes straight into the recipes without bogging you down in many diagrams of the packet formats. The latter is more typical of earlier texts on IP and TCP where there was no software like Wireshark. Back then, such knowledge of formatting was needed by the reader because it was up to you to essentially write a rudimentary version of Wireshark.The book walks up the protocol stack, starting with Layer 2. For example, a later chapter has recipes on http and DNS. So just like the early chapter on Layer 2, you can focus on the issues of analysis and problem solving without having to know low level details.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.