I thought I would share my default Wireshark setup I use when examining packet traces. In addition to the defaults I like having the Time (since capture start), the DateTime, (absolute time is useful when correlating against other packet traces and log files), DeltaX (time between displayed packets), Seq, Ack, and Bytes in flight.

I have a color rule which highlights the frames in yellow if the frame.time_delta_diplayed is greater than 3 seconds (frame.time_delta_displayed > 3). It helps me to quickly focus on long pauses in communication between two or more devices. While working on this problem I also happened to stumble upon a bug in Wireshark 2.0 that affects the delta time displayed. I discovered bug 11786 was already documented in the Wireshark bug database.

Stumbled onto a known Wireshark 2.0 bug with delta displayed time not showing up properly. https://t.co/RrchR8WBGV

— Michael McNamara (@mfMcNamara) December 23, 2015

If you’re not familiar with how to read packet traces I would suggest you check out Kary Rogers Packet Bomb website. Karry has a number of useful videos covering how to read and interpret a packet trace, along with a few tips on leveraging tools like Wireshark. In the screenshot above I used Jasper Bongertz’s tool TraceWrangler to sanitize the IP addresses from the packet trace before post a screenshot.

Cheers!

Update: The delta time issue has been fixed in Wireshark 2.0.1

Unfortunately IBM support wasn’t very helpful, they were more interested in placing blame than they were in helping us understand why the Tealeaf capture server wasn’t working. They were completely focused on the fact that it worked before the upgrade so it must have been the upgrade that broke it. While that was technically true there was something else at play since I had already verified that the traffic was being forward properly by the Gigamon.

Ultimately one of the team members reconfigured the Linux NICs to support 802.1q tagging and built sub-interfaces so tcpdump could read the traffic. I never did find out what broke but I’m guessing it has something to-do with the NIC configuration on the Tealeaf Linux capture server.

Cheers!

Image Credit: John

Last week I had the task of diagnosing some very intermittent desktop/application performance issues at a remote site. I had installed WireShark locally on a few desktops but I wanted the ability to remotely monitor a few specific desktops without obstructing the users workflow to get a baseline for later comparison. I was excited to learn that WireShark and WinPCAP had (experimental) remote packet capture functionality built into each product. I followed the instructions on the WireShark website by installing WinPCAP v4.1.2 on the remote machine and then starting the “Remote Packet Capture Protocol v.0 (experimental)” service. With that done I then proceeded to launch WireShark on my local desktop and configure the remote packet capture settings. From within WireShark I chose Options -> Capture, changed the Interface from Local to Remote. Then enter the IP address of the remote machine along with the TCP port (the default TCP port is 2002). I initially tried to use “Null authentication” but was unsuccessful. I eventually ended up choosing “Password authentication” and used the local Administrator account and password of the remote desktop that had WinPCAP installed on it. If the remote desktop had multiple interfaces I could have selected which interface I wanted to perform the remote packet capture on. In this case the desktop in question only had an integrated Intel(R) 82567LM-3 network adapter. I clicked ‘Start’ and to my sheer amazement the packet trace was off and running collecting packets from the remote desktop. There will still be the occasional need to place the Dolch (portable sniffer) onsite when the situation demands it  but this is a great tool to have available.

Cheers!

Updated: Sunday September 5, 2010
The images appear to be missing above because the URL paths are wrong, not sure how WordPress messed up that. I don’t have time right now to fix it but I will fix it a little later.