Wireshark for Network Management
Thursday, October-22-2009
An edited version of this article was originally printed in the May 2009 edition of Hakin9 Magazine under Tool Reviews. As an IT consultant I frequently need to monitor and analyze network traffic. Wireshark is easily the tool of choice.
Introduction:
The great white is one of the undisputed masters of the open seas and with knowledge and training Wireshark can help the network admin or consultant master that sea of data that flows across the networks of the world. Originally developed by Gerald Combs in 1998 and available as free/open source software under the name Ethereal, the project grew to encompass many programmers over the years and was renamed Wireshark in June 2006.
Wireshark is considered to be one of the premier protocol analysis tools with eWeek Labs in 2007 listing it among “The Most Important Open-Source Apps of All Time.” Wireshark is free/open source software with versions available for Linux, Microsoft Windows and Mac OS X at http://www.wireshark.org
As an essential element of the toolkit of any network professional, Wireshark provides the tools to capture and analyze network traffic or to perform analysis on network captures provided by tools such as tcpdump, tshark, EtherPeak and a wide range of others.
Installation:
Installation is platform dependent but easily done using the appropriate method such as the Windows installer package or for the more adventurous by the compiling the program from the source code. Linux users should use the method appropriate to the distribution they are using such as apt-get or rpm. The download page at wireshark.org covers the options and installation methods for the more common platforms.
First Runs:
With Wireshark installed you’re ready to do your first packet captures so let’s go. The easiest method is to use the main toolbar (the set of icons directly below the text menu headings) and left-click on the left-most icon that looks like NIC with a small white list box on it. This will open the “Capture interfaces” dialog box which will show the interfaces that Wireshark is recognizing, a description, the IP, and a column showing packet activity for each.
To begin capturing packets just left-click on the start button for the the interface you want. Wireshark will now begin capturing packets for that interface and show the results in the packet list pane that is part of the main window. On a busy network this will quickly fill with all the network noise including routing protocols, spanning-tree from switches and arp requests. Somewhere amidst the turmoil are the packets you’re looking for.
Managing the Packet Capture:
Wireshark thoughtfully provides two primary methods to save filling your hard drive and drawing down your patience in analyzing all that network noise. On the front end the analyst can deploy capture filters that as the name would imply limit what packets Wireshark actually brings up from the NIC and includes in the capture archive. If for example you know you have no interest in the all that chatty spanning-tree traffic between switches you can deploy a capture filter to tell Wireshark to ignore those packets. This provides several benefits in that your capture data set will be reduced making analysis much quicker and efficient and the saved captures will make for smaller files.
Finding Needles in Haystacks:
Even with a good set of capture filters in place a busy network will generate a lot of packets so how do we as network analysts save our patience and find specific packets or groups of packets. Enter the second powerful feature that of using display filters. Whereas capture filters actually limit what packet types will be included in the capture set the display filter only controls what is shown in the packet list pane. The actual capture set isn’t altered and remains intact. For example let’s say that in my haste I didn’t filter out the spanning-tree traffic and now my 15 minute capture set has some critical packets all of which are somewhere in that sea of STP dribbling down the page causing my vision to blur. Relief is as close as typing “!(stp)” in the “Filter:” box and clicking apply. The packet list pane will now show all traffic that was captured except for spanning-tree.
Analysis and Statistics:
Wireshark provides an excellent set of tools to analyze the packet capture set the discussion of which is too lengthy for an introductory article. I would note that it’s well worth the efforts to spend some time working through the options provided as a wealth of information can be drawn from the capture set that can be instrumental in resolving a myriad of network issues including performance and security.
Conclusion:
As an independent IT consultant to small businesses and similar organizations I’ve been using Wireshark and it’s fore-runner Ethereal since around 2001 and consider it the most important tool in my kit for resolving networking issues.
A simple example is a government customer with a staff of about 12 on a small LAN had a new “big-brand-name” combination copier, printer and scanner installed. The day after the installation the manager sent me an email saying that when I had a chance to check out the network as it was definitely acting just a tad more sluggish. A 60 second capture set with Wireshark showed that the network was not only busily handling its normal load of TCP/IP traffic but was awash in both AppleTalk and IPX/SPX. Seeing how we had neither any Macs or Netware servers on the network inquiring minds wanted to know the source of this bothersome gibberish. A quick analysis of the packets revealed the offending traffic all originating from the IP assigned to the new multifunction machine. A short walk through the network settings dialog screens for the multifunction box showed that the tech had simply left the defaults on which where to use IPv4, AppleTalk and IPX/SPX. Two quick taps to disable the latter two and Wireshark showed the network no longer bothered by unnecessary traffic and the performance slightly improved.
Posted by mike.shafer on 10-22-2009 at 11:10 am
Posted in IT for SMB
No comments yet.