Troubleshooting with Wireshark [Riverbed lab kit]

A while ago I attended a Wireshark webinar from Riverbed in which they presented the tool, some beginner and intermediate users troubleshooting scenarios and some lab kit.

Now I got an e-mail that they made it available for download at http://www.riverbed.com/wireshark-virtual-tour

Part of this Lab Kit were available in the Virtual World Tour 2014 webinar on Troubleshooting with Wireshark, held by Laura Chappell and Gerald Combs.

Kit is a free collection of Wireshark training, trace files and tips and tricks for troubleshooting your network. This lab kit contains the following:

  • Nine Network Analysis Training videos
  • Troubleshooting Checklist
  • Sample Network Analysis Report
  • Practice Trace Files
  • Laura’s Wireshark Troubleshooting Profile
  • Chapter Excerpts from Laura Chappell’s new book “Troubleshooting with Wireshark Locate the Source of Performance Problems”

  • If you are interested in troubleshooting with Wireshark, I think this would be a nice place to start. The presentation page of Wireshark Virtual Tour looks a little bit like comics marketing style, but the materials are pretty good.

    Free live webinars covering the new Wireshark certification

    What should you study? How should you study? What are the hot areas on the Exam? What are the Exam question formats? What should you watch for? What if you need to reschedule the Exam? What can you bring with you?

    This are the questions that Laura Chappell will try to answer in the 4 free live webinars hosted at Chappell Seminars on from 17th to 19th of August 2010. I you are curious who is Laura Chappell, you should know that, according to her bio, she is the Founder of Wireshark University (www.wiresharkU.com) and Chappell University (www.chappellU.com) and a self-admitted “packet geek” as well as a highly-energetic speaker and author of numerous industry titles on network communications, analysis and security. Nicknamed “Glenda, the Good Witch,” Laura has presented to thousands of State, Federal and international law enforcement officers, judicial members, engineers, network administrators, technicians and developers.

    Ms. Chappell is a member of the High Technology Crime Investigation Association (HTCIA) and an Associate Member of the Institute for Electrical and Electronic Engineers (IEEE) since 1989. Her blend of humor, personal experiences, energy and clarity have earned her a top spot as an industry speaker at Microsoft, Novell, Hewlett-Packard, High Technology Crime Investigation Association and US Court conferences.

    I believe that this is enough to wake up your interest in this event. Considering that it is offer for free, I don’t see why you should not attend especially if you are interested in network technology. There is always room for more knowledge.

    Sign in for this event

    Wireshark 1.2.0 is now available

    wireshark-logoWireshark 1.2.0 has been released and it’s available for download. This is suppose to be a major release according to the developer’s website, as the previous version is 1.0.8. Some new features, from the official Wireshark website, regarding the new version you can find below:

    New and Updated Features

    The following features are new (or have been significantly updated) since version 1.0:

    • Wireshark has a spiffy new start page.
    • Display filters now autocomplete.
    • A 64-bit Windows (x64) installer is now provided.
    • Support for the c-ares resolver library has been added. It has many advantages over ADNS.
    • Many new protocol dissectors and capture file formats have been added (see below for a complete list).
    • Macintosh OS X support has been improved.
    • GeoIP database lookups.
    • OpenStreetMap + GeoIP integration.
    • Improved Postscript® print output.
    • The preference handling code is now much smarter about changes.
    • Support for Pcap-ng, the next-generation capture file format.
    • Support for process information correlation via IPFIX.
    • Column widths are now saved.
    • The last used configuration profile is now saved.
    • Protocol preferences are changeable from the packet details context menu.
    • Support for IP packet comparison.
    • Capinfos now shows the average packet rate.
    • GTK1 is no longer supported. (Yes, this is a feature.)
    • Official Windows packages are now built using Microsoft Visual C++ 2008 SP1.

    New Protocol Support

    Anything in Anything Protocol, ATM PW, N-to-one Cell Mode, B.A.T.M.A.N. Layer 3 Protocol, BACnet MS/TP, BSS LCS Assistance Protocol, Canon BJNP, CESoPSN basic NxDS0 mode (no RTP support), Charging ASE, Cimetrics MS/TP, DECT Protocol, Digital Private Signalling System No 1 Link Layer, DOCSIS Mac Domain Description, DOCSIS Registration Request Multipart, DOCSIS Registration Response Multipart, DOCSIS Synchronisation Message, E100 Encapsulation, EHS, Enhanced Variable Rate Codec, Ethernet Global Data, Ethernet PW, Exchange 2003 Directory Request For Response, Far End Failure Detection, FCoE Initialization Protocol, GOOSE, GPEF, GPRS Tunneling Protocol V2, GSM A-I/F COMMON, GSM A-I/F GPRS Mobility and Session Management, GSM SACCH, GSM Um Interface, HDLC PW, FR port mode (no CW), HDLC-like framing for PPP, IEC 60870-5-104,Apci, IEC 60870-5-104,Asdu, IEEE 802.15.4 Low-Rate Wireless PAN non-ASK PHY, IEEE C37.118 Synchrophasor Protocol, Intelligent Platform Management Interface (Session Wrapper), Inter-Integrated Circuit, Internal TDM, IPSICTL, ISMACryp Protocol, iWARP Direct Data Placement and Remote Direct Memory Access Protocol, iWARP Marker Protocol data unit Aligned framing, Kontiki Delivery Protocol, LANforge Traffic Generator, Layer 1 Event Messages, Lb-I/F BSSMAP LE, LeCroy VICP, Link Access Procedure, Channel Dm (LAPDm), Local Download Sharing Service, LTE Radio Resource Control (RRC) protocol, MAC-LTE, Memcache Protocol, Mesh Header, MP4V-ES, Nasdaq TotalView-ITCH, Nasdaq-SoupTCP version 2.0, NAT Port Mapping Protocol, Netdump Protocol, Non-Access-Stratum (NAS)PDU, PacketLogger, Paltalk Messenger Protocol, PDCP-LTE, PW Associated Channel Header, PW Ethernet Control Word, PW Frame Relay DLCI Control Word, PW MPLS Control Word (generic/preferred), Real-Time Publish-Subscribe Wire Protocol 2.x, Remote Packet Capture, RLC-LTE, SAToP (no RTP support), SERCOS III V1.1, SIMULCRYPT Protocol, Subnetwork Dependent Convergence Protocol XID, Teamspeak2 Protocol, TTEthernet, TTEthernet Protocol Control Frame, Turbocell Aggregate Data, Turbocell Header, TURN Channel, Unreliable Multicast Inter-ORB Protocol, VCDU, Wave Short Message Protocol(IEEE P1609.3), Wireless Access Station Session Protocol, Wireshark Expert Info, World of Warcraft, Xpress Transport Protocol, ZigBee Application Framework, ZigBee Application Support Layer, ZigBee Device Profile, ZigBee Encapsulation Protocol, ZigBee Network Layer, Zipped Inter-ORB Protocol, ZRTP

    New Capture File Support

    Apple Bluetooth PacketLogger, Daintree’s Sensor Network Analyzer, dct3trace, Pcap-NG, TNEF (yes, those silly winmail.dat attachments)

    You can download the last version from the official Wireshark download page

    Wireshark’s most useful display filters

    wireshark-logoNow and then, especially when you expect less, the network crashes or encounter an issue and then you had to troubleshoot. Sometime the problem is right there, you can see it and it’s easy to fix, but in other cases you’ll have to put an eye in the packets that are traveling through it and search deeper for the solution. When it comes to network sniffing or packet capturing or whatever you want to call it, I believe that the name Wireshark (formerly Ethereal) ring a bell in your head.

    Wireshark is one of the world’s foremost network protocol analyzer, and is the de facto standard across many industries and educational institutions. Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998. Some features of Wireshark:
    – Deep inspection of hundreds of protocols, with more being added all the time
    – Live capture and offline analysis
    – Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
    – Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
    – Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and   uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
    – Capture files compressed with gzip can be decompressed on the fly
    – Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom)
    – Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2

    Wireshark is extremely useful when it comes to network troubleshooting as it capture the packets and you can have a detail look into them checking if everything is OK in parameters, message, format and so on. The problem is that if you capture the packets traveling through a backbone router you will end having  huge file ( yes, even up to 1G if you capture long enough) and a lot packets details in it. From this tons of information maybe you are interested in only a minor part like BGP traffic or a certain IP source and destination. Here is the part where Wireshark filters come into play.

    There are 2 type of Wireshark filters:

    – DISPLAY FILTERS – after you capture a lot of information, they help you to visualize only the packets that you are interested in
    – CAPTURE FILTERS – from the beginning you know what is the interest for you and capture only those packets

    I would recommed to use the Capture filters, when you know what are you looking for and you run the capture for more than couple of hours in a heavy traffic environment. This will help you stay in a reasonable amount on information being captured and file size.
    If you run the packet capture for less time, like one or two hours, and you are not very sure what are you looking for, then I recommend to capture all the traffic and then use Display filters to visualize only the information that you are searching for.

    For today I put together a list with the most useful Wireshark display filters. I compiled this list based on my personal experience and on my friends and colleagues advices. If you think that something is missing, or you are using a Display filter that might be useful for others please feel free to add it to a Comment to this topic and I will update the list. In one of the future posts I will show you how to capture the traffic and apply some of this filters.

    DISPLAY FILTER EXPLANATION EXAMPLE
    eth.addr source or destination mac-address eth.addr == 00:1a:6b:ce:fc:bb
    eth.src source mac-address eth.src == 00:1a:6b:ce:fc:bb
    eth.dst destination mac-address eth.dst == 00:1a:6b:ce:fc:bb
    arp.dst.hw_mac target mac-address arp.dst.hw_mac == 00:1a:6b:ce:fc:bb
    arp.dst.proto_ipv4 target IPv4 address arp.dst.proto_ipv4 == 10.10.10.10
    arp.src.hw_mac sender mac-address arp.src.hw_mac == 00:1a:6b:ce:fc:bb
    arp.src.proto_ipv4 sender IPv4 address arp.src.proto_ipv4 == 10.10.10.10
    vlan.id vlan ID vlan.id == 16
    ip.addr source or destination IPv4 address ip.addr == 10.10.10.10
    ip.dst destination IPv4 address ip.addr == 10.10.10.10
    ip.src source IPv4 address ip.src == 10.10.10.10
    ip.proto IP protocol (decimal) ip.proto == 1
    ipv6.addr source or destination IPv6 address ipv6.addr == 2001::5
    ipv6.src source IPv6 address ipv6.addr == 2001::5
    ipv6.dst destination IPv6 address ipv6.dst == 2001::5
    tcp.port source or destination TCP port tcp.port == 20
    tcp.dstport destination TCP port tcp.dstport == 80
    tcp.srcport source TCP port tcp.srcport == 60234
    udp.port source or destination UDP port udp.port == 513
    udp.dstport destination UDP port udp.dstport == 513
    udp.srcport source UDP port udp.srcport == 40000
    fr.dlci Frame-Relay DLCI number fr.dlci == 112
    icmp.type ICMP type code (decimal) icmp.type == 8
    vtp.vlan_info.vlan_name VLAN name vtp.vlan_info.vlan_name == TEST
    bgp.originator_id BGP id (IPv4 address) bgp.originator_id == 192.168.10.15
    bgp.next_hop BGP Next Hop (IPv4 address) bgp.next_hop == 192.168.10.15
    rip.ip RIP IPv4 address rip.ip == 200.0.2.0
    ospf.advrouter OSPF advertising router ID ospf.advrouter == 192.168.170.8
    eigrp.as EIGRP autonomous system number eigrp.as == 100
    hsrp.virt_ip HSRP virtual IP address hsrp.virt_ip == 192.168.23.250
    vrrp.ip_addr VRRP virtual IP address vrrp.ip_addr == 192.168.23.250
    zebra.dest4 ZEBRA destination IPv4 address zebra.dest4 == 10.10.10.10
    wlan.addr source or destination MAC address wlan.addr == 00:1a:6b:ce:fc:bb
    wlan.sa source MAC address wlan.sa == 00:1a:6b:ce:fc:bb
    wlan.da destination MAC address wlan.da == 00:1a:6b:ce:fc:bb

    Materials that helped me for this post:
    http://packetlife.net/static/cheatsheets/wireshark-display-filters.pdf – thanks Jeremy Stretch
    http://www.wireshark.org/docs/dfref/ – here you can find the full list of filters – thanks developers of Wireshark