Network Analysis using Wireshark Cookbook: This book will be a massive ally in troubleshooting your network using Wireshark, the world's most popular analyzer. Over 100 practical recipes provide a focus on real-life situations, helping you resolve your own individual issues.

To start working with Wireshark, go to the the Wireshark website, and download the latest version of the tool.

An updated version of Wireshark can be found on the website at http://www.wireshark.org/, under the Download heading. Download the latest Wireshark stable release that is available at http://www.wireshark.org/download.html.

Each Wireshark Windows package comes with the latest stable release of WinPcap, which is required for live packet capture. The WinPcap driver is a Windows version of the UNIX Libpcap library for traffic capture.

Let's take a look at the typical network architecture and network devices, how they work, how to configure them when required, and where to locate Wireshark.

Let's have a look at the simple and common network architecture in the preceding diagram.

Monitoring a router

In order to monitor a router, we can monitor a LAN port (numbered as 2 and 6 in the preceding diagram), or a WAN port (numbered as 5 in the preceding diagram). To monitor a LAN port is easy—simply configure the port monitor to the port you wish to monitor. In order to monitor a WAN port, you can connect a switch between the router port and the Service Provider (SP) network, and configure the port monitor on this switch, as in the following illustration.

Connecting a switch between the router and the service provider is an operation that breaks the connection; however, when you prepare for it, it should take less than a minute.

When monitoring a router, don't forget—not all packets coming in to a router will be forwarded. Some packets can be lost, dropped on the router buffers, or routed back on the same port that they came in from.

Two additional devices that you can use are TAPs and Hubs.

• TAPs: Instead of connecting a switch on the link you wish to monitor, you can connect a device called Test Access Point (TAP), which is a simple three-port device that, in this case, will play the same role as that of the switch. The advantage of a TAP over a switch is its simplicity and price. TAPs also forward errors that can be monitored on Wireshark, unlike a LAN switch that drops them. Switches, on the other hand, are much more expensive, take a few minutes to configure, but provide you with additional monitoring capabilities, for example, Simple Network Management Protocol (SNMP). When you troubleshoot a network, it is better to have an available managed LAN switch, even a simple one.

• Hubs: You can simply connect a hub in parallel to the link you want to monitor, and since a hub is a half-duplex device, every packet sent between the router and the SP device will be watched on your Wireshark. The biggest con of this method is that the hub itself slows the traffic, and it therefore influences the test. In many cases you also want to monitor 1 Gbps ports, and since there is no hub available for this, you will have to reduce the speed to 100 Mbps, which again will influence the traffic. Therefore, hubs are not commonly used.

To understand how the port monitor works, it is first important to understand the way that a LAN switch works. A LAN switch forwards packets in the following way:

Therefore, when you configure a port monitor to a specific port, you will see all the traffic coming in and out of it. If you connect your laptop to the network, without configuring anything, you will see only the traffic coming in and out of your laptop, along with broadcasts and multicasts from the network.

When capturing data, there are some tricky scenarios that you should be aware of.

One such scenario is monitoring a VLAN. When monitoring a VLAN, you should be aware of several important issues. The first issue is that even when you monitor a VLAN, the packet must physically be transferred through the switch you are connected to, in order to see it. If, for example, you monitor VLAN-10 that is configured across the network, and you are connected to your floor switch, you will not see the traffic that goes from other switches to the servers on the central switch.

This is because when building a network, the users are usually connected to floor switches in single or multiple locations in the floor, that are connected to the building central switch (or two redundant switches). For monitoring all traffic on a VLAN, you have to connect to a switch on which all traffic of the VLAN goes through, and this is usually the central switch.

In the preceding diagram, if you connect Wireshark to Switch SW2, and configure a monitor to VLAN30, you will see all the packets coming in and out of P2, P4, and P5, inside or outside the switch. You will not see packets transferred between devices on SW3 and SW1, or packets between SW1 and SW3.

Another issue when monitoring a VLAN is that you might see duplicate packets. This is because when you monitor a VLAN, and packets are going in and out of the VLAN, you will see the same packet when it is comes in, and then when it goes out of the VLAN.

You can see the reason in the following illustration. When, for example, S4 sends a packet to S2, and you configure the port mirror to VLAN30, you will see the packet once when sent from S4 passing through the switch and entering the VLAN30, and then when leaving VLAN30 and coming to S2.

For information on how to configure the port mirror, refer to the vendor's instructions. It can be called port monitor, port mirror, or SPAN (Switched Port Analyzer from Cisco).

There are also advanced features such as remote monitoring (monitoring a port that is not directly connected to your switch), advanced filtering (such as filtering specific MAC addresses), and so on. There are also advanced switches that have capture and analysis capabilities on the switch itself. It is also possible to monitor virtual ports (for example, LAG or Ether channel groups). For all cases, refer to the vendor's specifications.

After you install Wireshark on your computer, the only thing to do will be to start the analyzer from the desktop, program files, or the quick start bar.

When you do so, the following window will be opened (Version 1.10.2):

You can start the capture from the upper bar Capture menu, or from the quick-launch bar with the capture symbol, or from the center-left capture window on the Wireshark main screen. There are options that you can choose from.

How to choose the interface to start the capture

If you simply click on the green icon, third to the right, in Wireshark and start the capture, Wireshark will start the capture on the default interface as configured in the software (explained later in the chapter in the recipe Configuring the user interface in the Preferences menu). In order to choose the interface you want to capture on, click on the List the available capture interfaces symbol, and the Wireshark Capture Interfaces window will open.

The best way to see which interface is active is simply to look at the right of the window of the interface on which you see the traffic running. There you will see the number of total Packets seen by Wireshark, and the number of Packets/sec in each interface.

In Wireshark Version 1.10.2 and above, you can choose one or more interfaces for the capture. This can be helpful in many cases; for example, when you have multiple physical NICs, you can monitor the port on two different servers, two ports of a router, or other multiple ports at the same time. A typical configuration is seen in the following screenshot:

How to configure the interface you capture data from

To configure the interface you capture data from, choose Options from the Capture menu. The following window will appear:

In the preceding window you can configure the following parameters:

1. On the upper side of the window, choose the interface you want to capture the data from.

2. On the left side of the window, you have the checkbox Use promiscuous mode on all interfaces. When checked, Wireshark will capture all the packets that the computer receives. Unchecking it will capture only packets intended for the computer.

3. In some cases, when this checkbox is checked, Wireshark will not capture data in the wireless interface; so if you start capturing data on the wireless interface and see nothing, uncheck it.

4. On the mid-left area of the window, you have the Capture Files field. You can write a file name here, and Wireshark will save the captured file under this name, with extensions 0001, 0002, and so on under the path you specify. This feature is extremely important when capturing a large amount of data; for example, when capturing data over a heavily-loaded interface, or over a long period of time. You can tell the software to open a new file after a specific interval of time, file size, or number of packets.

5. On the bottom left of the window, you have the area marked as Stop Capture Automatically in the preceding screenshot. In this area, you can tell the software to stop capturing data after a specific interval of time, file size, or number of packets.

6. On the mid-right area of the window, you can change the Display option and select the checkboxes Update list of packets in real time, Automatically scroll during live capture, and Hide capture info dialog, which close the annoying capture window (a pop up that appears the moment you start capture). In most of the cases you don't have to change anything here.

7. On the bottom right of the window, you configure the resolving options for MAC addresses, IP DNS names, and TCP/UDP port numbers. The last checkbox, Use external network name resolver, uses the system's configured name resolver (in most of the cases, DNS), to resolve network names.

Here the answer is very simple. When Wireshark is connected to a wired or wireless network, there is a software driver that is located between the physical or wireless interface and the capture engine. In Windows we have the WinPcap driver, in Unix platforms the Libpcap driver, and for wireless interfaces we have the AirPcap driver.

In cases where the capture time is important, and you wish to capture data on one interface or more, and be time-synchronized with the server you are monitoring, you can use Network Time Protocol (NTP) to synchronize your Wireshark and the monitored servers with a central time source.

This is important in cases when you want to go through the Wireshark capture file in parallel to a server logfile, and look for events that are shown on both. For example, if you see retransmissions in the capture file at the same time as a server or application error on the monitored server, you will know that the retransmissions are because of server errors and not because of the network.

The Wireshark software takes its time from the OS clock (Windows, Linux, and so on) For configuring the OS to work with a time server, go to the relevant manuals of the operating system that you work with.

In Microsoft Windows7, configure it as follows:

NTP is a network protocol used for time synchronization. When you configure your network devices (routers, switches, FWs, and so on) and servers to the same time source, they will be time synchronized to this source. The accuracy of the synchronization depends on the accuracy of the time server that is measured in levels or stratums. The higher the level, the more accurate it will be. Level 1 is the highest. Usually you will have levels 2 to 4.

NTP was first standardized in RFC 1059 (NTPv1), and then in RFC 1119 (NTPv2); the common versions in the last years are NTPv3 (RFC1305) and NTPv4 (RFC 5905).

You can get a list of NTP servers on various web sites, among them http://support.ntp.org/bin/view/Servers/StratumOneTimeServers and

http://wpollock.com/AUnix2/NTPstratum1PublicServers.htm.

You can get more information about Pcap drivers at:

Start Wireshark, and you will get the start window. There are several parameters you can change here in order to adapt the capture window to meet your requirements:

First, let's have a look at the toolbars that are used by the software:

For operations with the other toolbars as follows, which are covered in the coming subsections in this recipe:

Main Toolbar

In the main toolbar you have the icons shown in the following screenshot:

The five leftmost symbols are for capture operations, then you have symbols for file operations, zoom and "go to packet" operations, colorize and auto-scroll, zoom and resize, filters, preferences, and help.

Display Filter Toolbar

In the filter toolbar, you have the following fields:

Status Bar

In the status bar on the lower side of the Wireshark window, you can see the data shown in the following screenshot:

In the preceding screenshot you can see the following:

• Errors in the expert system

• The option to add a comment to the file

• The name of the captured file (during capture, it will show you a temporary name assigned by the software)

• Total number of captured packets, displayed packets (those which are actually displayed on the screen), and marked packets (those that you have marked).

In this part we will go step by step and configure the main menu.

Configuring toolbars

Usually for regular packet capture, you don't have to change anything. This is different when you want to capture wireless data over the network (not only from your laptop); you will have to enable the wireless toolbar, and this will be done by clicking on it under the view menu, as shown in the following screenshot:

Configuring the main window

To configure the main menu for capturing, you can configure Wireshark to show the following windows:

In most of the cases you will not need to change anything here. In some cases, you can cancel the packet bytes when you don't need to see them, and you will get more "space" for the packet list and details.

Name Resolution

Name Resolution is the translation of layer 2 (MAC addresses), layer 3 (IP addresses), and layer 4 (Port numbers) into meaningful information.

In the preceding screenshot, we see the MAC address 60:d8:19:c7:8e:73 (from Hon Hai Precision Ind., used by Lenovo), the website (that is, Packtpub.com), and the HTTP port number (that is 80).

Colorizing the packet list

Usually you start a capture in order to establish a baseline profile of what normal traffic looks like on your network. During the capture, you look at the captured data and you might find a TCP connection, IP or Ethernet connectivity that are suspects, and you want to see them in another color.

To do so, right-click on the packet that belongs to the conversation you want to color, choose Ethernet, IP, or TCP/UDP (the appearance of TCP or UDP will depend on the packet), and choose the color for the conversation.

In the example you see that we want to color a Transport Layer Security (TLS) conversation.

For canceling the coloring rule:

1. Go to the View menu.

2. In the lower part of the menu, choose Reset Coloring 1-10 or simply click on Ctrl + Space bar.

To configure the time format, go to the View menu, and under Time Display Format you will get the following window:

You can chose from the following options:

The lower part of the submenu provides the format of the time display. Change it only if a more accurate measurement is required.

You can also use Ctrl + Alt + any numbered digit key on the keyboard for the various options.

This is quite simple. Wireshark works on the system clock and presents the time as it is in the system. By default you see the time since the beginning of capture.