Chapter 3. Capturing All the Right Packets
In order to analyze packets to troubleshoot connectivity, performance, or security issues, you have to successfully capture all of the right packets and then identify and filter out just the packets that pertain to the goal at hand.
In this chapter, we will cover the following topics:
Picking the best capture point
TAPs and switch port mirroring
Wireshark's capture interfaces, filters, and options
Verifying a good capture
Isolating the conversation(s) of interest
Using the Wireshark Conversations window
Wireshark's display filters
Filtering expression buttons
Following TCP/UDP/SSL streams
Marking and ignoring packets
Saving filtered traffic
You'll recognize that many of these activities are the same ones that we accomplished in Chapter 1, Getting Acquainted with Wireshark, to perform a capture and filter just the packets involved in loading a web page. In this chapter, we'll expand and finish rounding out your skills in all these topics.
Picking the best capture point
Determining the best location to perform a packet capture depends on several considerations:
The nature of the issue being investigated
The relative ability to perform a capture in a location that provides the highest degree of usefulness to the analysis
The amount of technical difficulty, risk, and time required to perform a capture at a given location
If you're troubleshooting a user complaint, the first capture point should be at the user's workstation to gain a view from the user's perspective and verify/clarify the situation that the user is reporting. From this vantage point, you can:
Ensure that basic network services such as ARP and DNS are working correctly
Analyze the initial login process if the user authentication involves a different device than the target application server
Measure network round trip times from the user to the target host(s)
Determine whether the TCP session setup handshake is appropriate for the application being accessed...
Test Access Ports and switch port mirroring
If you're capturing from a user location and cannot or do not wish to install Wireshark on the user's machine or you're capturing at another location in the network, you have two options to obtain a copy of the packets traversing the network: Test Access Ports or switch port mirroring.
A Test Access Port (TAP) is a device that copies all the packets flowing through it to one or more monitor ports. A station with Wireshark installed on it can be connected to one of the monitor ports to capture the packets.
You should select an aggregating TAP that supports the link speed of the network ports being analyzed (usually 100 Mbps or 1 Gbps) and that will copy and combine the packets flowing in both directions (transmit data from the user's workstation and receive data from the network); the aggregating TAP funnels the traffic to a single connection (transmit to the Wireshark station) so that you can capture the traffic in both directions...
Capturing interfaces, filters, and options
Capturing packets with Wireshark consists of selecting the correct network interface to capture packets from, applying any capture filters that may be appropriate, and applying the correct options to accomplish the capture in the desired manner. We'll cover these three topics in the following sections.
Selecting the correct network interface
As discussed in Chapter 1, Getting Acquainted with Wireshark, if you have multiple network interfaces on your machine, you need to determine and select the correct interface to capture packets. In Wireshark's Capture menu, click on Interface or click on the first icon on the icon bar.
The Wireshark Capture Interfaces window provides a list and description of the network interfaces on your machine, the IP addresses assigned, and the total packets and packets per second counters for each interface. If an interface has an IPv6 address assigned and this is being displayed, you can click on the address to toggle and...
After a capture is complete, you should scroll through and inspect the packets in the Packet List pane to ensure that you're seeing the traffic you were expecting—usually traffic to and from a specific host.
You should also ensure there were no dropped packets, which would be displayed in the Packet Information section of the Status Bar at the bottom center of the Wireshark user interface. Dropped packets indicate that Wireshark or the selected NIC could not keep up with the traffic volume and had to discard packets, which could of course affect the quality of your analysis. If dropped packets occur, you may need to use a higher performance workstation to perform the captures or select a lower traffic volume capture location.
Saving the bulk capture file
After completing and verifying a good capture, you should save the bulk (all captured packets) capture file (assuming a single file capture) to your directory of choice. You will later be filtering and saving a subset of packets to a smaller file, but it is advantageous to be able to load the original capture file again at a later time if during the analysis you discover that you might have inadvertently filtered out more packets than you wanted.
Using the Save As option in the File menu, navigate to the directory of your choice and give the file a name. If no file extension is specified, Wireshark will append a file extension based on the Save as type option selected; the default is the .pcapng
format. However, you can save the file in several other popular vendor-specific formats if you intend to share the capture file with someone who is using a different protocol analysis tool.
If multiple files were saved using one of the multiple file and/or ring buffer capture...
Isolating conversations of interest
After you have completed a packet capture and saved a bulk capture file, you'll be with an almost overwhelming number of packets of various types and addresses in the Packet List pane. It's now time to par this down to just the packets that pertain to the analysis task at hand.
The idea is to progressively eliminate unrelated packets; analyze the pertinent conversations looking for anomalies; and again progressively filter, measure, and analyze packet flow and application behavior until you have discovered and can document the root cause of the issue.
There are two basic ways to isolate and inspect packets and conversations of interest, and you'll likely use both of the following methods in most of your analysis activities:
Using the Conversations window
The basics of using the Conversations window were covered during the first capture in Chapter 1, Getting Acquainted with Wireshark. In this section, we'll cover a few other handy features of the Conversations window.
The
Conversations window exhibits specific behaviors in the Ethernet tab, depending on the available Name Resolution settings. If Enable for Network Layer in the Name Resolution menu, which can be found in the View menu, is enabled and Name Resolution is also enabled in the Conversations window, then the IP address that is associated with a given device's MAC address is displayed as an IP address instead of a MAC address. Toggling the Name Resolution option in this scenario is useful for easily associating a devices' IP address with its MAC address.
If the Enable for Network Layer option is not enabled, then the Name Resolution option in the Conversations window controls whether the MAC addresses are displayed with manufacturer prefixes...
Wireshark display filters
Wireshark provides a very wide range of protocol-specific display filters that can be extremely useful for analysis activities by allowing you to focus on specific packets, based on criteria that you define. You can filter on just the traffic that you want to see or filter undesired traffic out of view. Display filters are one of the most helpful features of Wireshark, so they warrant becoming very familiar with.
Display filters can be created in several ways:
By applying display filters from the Display Filter window
By typing in the display filter syntax (using autocomplete)
By applying display filters from the Conversations (or Endpoints) window
By applying saved display filters from Filter Expression Buttons
Using the Expressions button for assistance creating filters
Using right-click menus on specific packet fields
Note
Remember that display filters use a proprietary Wireshark filter format, which is protocol-dependent and significantly different from capture filter...
Filter Expression Buttons
Filter Expression Buttons are buttons you can create that are based on display filters; these can be used to quickly apply previously-saved display filters to your capture data to identify network and application problems.
For example, to create a Filter Expression Button option that displays just
TCP SYN, SYN/ACK, FIN, or RST packets to analyze the TCP session setup parameters, network round-trip delay times, and session terminations:
Type the following display filter string into the Filter textbox on the Display Filter Bar:
Clicking on Apply will apply this filter to a capture that you have loaded so that you can confirm that it is working properly.
Then, click on Save and give the button a name, such as TCP Handshake
(as illustrated in the...
Following TCP/UDP/SSL streams
Selecting a packet in a conversation, right-clicking, and selecting a Follow TCP Stream, Follow UDP Stream, or Follow SSL Stream option (as appropriate) from the menu provides a display window that contains a textual depiction of the payload data from all of the packets in a conversation. This is an excellent way to inspect the contents of a stream without having to select and inspect multiple packets. Viewing the exchanges between the client and server can be very helpful for troubleshooting purposes.
When a Follow Stream option is selected for a given packet, a display filter is automatically created and applied to support creation of this window. The following screenshot illustrates a Follow TCP Stream window. Also, note the display filter syntax (tcp.stream eq 15) that was created and applied when this stream was selected:
Marking and ignoring packets
You can toggle Mark/Unmark Packet or Ignore/Unignore Packet from the Wireshark Edit menu, or by right-clicking on a packet in the Packet List pane and selecting Mark Packet (toggle) or Ignore Packet (toggle).
The menu displayed by right-clicking on a packet in the Packet List pane is shown in the following screenshot:
Wireshark allows you to mark one or more packets in the Packet List pane to make it easier to find those packets later by giving the packet entry a black background with white font. This marking can be toggled on and off on a per-packet basis. Marking a packet has no other effect on the display or packet context.
You can also ignore one or more packets. However, when you invoke the ignore function on a packet that packet entry disappears from the Packet List, Packet Details, and Packet Bytes panes and it effectively ceases (temporarily) to be part of the capture file. Note that ignoring packets can result in Wireshark reporting re-transmissions or...
Saving the filtered traffic
During or after completing an analysis, you will want to save a set of filtered packets into a new capture file. Saving a filtered subset of the bulk capture data and opening the new, smaller file in Wireshark is helpful to reduce the distracting background noise packets displayed when clearing display filters, working with Conversations windows, and so on during your analysis. Finally, upon completing your analysis, you will want a filtered capture file that represents the analysis evidence and conclusion and can be quickly loaded for review at a later time.
Use the Export Specified Packets option in the File menu to save a new capture file consisting of just your filtered packets. Navigate to the desired directory; enter a filename (Wireshark will provide the appropriate filename extension); make the appropriate selections to save all the Displayed packets, Marked packets, and/or to Remove Ignored packets; and then click on Save. Remember to save the complete...
The important points covered in this chapter included picking an optimal capture point, selecting between TAPs and mirrored/SPAN ports, Wireshark's capture filters and options, verifying a good capture, using Wireshark's Conversation windows and display filters to isolate packets of interest, creating Filter Expression Buttons, marking and ignoring packets, and saving the filtered traffic for later or more detailed analysis.
In the next chapter, we'll cover the rest of Wireshark's basic packet analysis features.