Wireshark can be a very powerful however getting the most out of this tool can be tricky. There are definitely many variables out there that make capturing and analyzing data a very convoluted and difficult. However there are a few quick an easy tricks you can use to ensure you are getting the most out of your packet captures. Lets go over a few best practices when using Wireshark to make sure you get the most out of it.
- Placement – Knowing where to capture is key. It’s important to remember when you are analyzing packets you are viewing the packets from the perspective of the capture point. This can assist with your analysis or it can actually hinder your analysis. It is also best to ensure you are capturing on both sides of the conversation to ensure you can see the full scope of the conversation. Let’s review a few placement options:
In the above example, we have two captures setup in front of two servers on the separate sides of a firewall. This is recommended for two reasons:
- By capturing on both sides of the firewall, we can see how the firewall interacts with the packets. Firewalls have a tendency of altering the TCP parameters with the packet headers depending on their configuration. There are times when this can negatively affect impact performance or make it difficult to properly analyze packets within Wireshark.
- Capturing close to the two device in question allow us to see the perspective of the conversation from both endpoints. This allows us to see whether or not there is packet loss between nodes, or if possibly if one of the nodes is experiencing heavy processes or load delays, among a host of other things.
Here we are capturing traffic on both sides of a VPN tunnel, similar to the firewall example from above it’s important to make sure the VPN is not causing any unintended communication issues. This can typically happen due to fragmentation or MTU issues.
Remember the key is to capture on both sides of the conversations or where you suspect the problem might be, this provides you the before and after picture of each device interacting with the traffic flow. It also provides you the opportunity to review the network path in between the nodes in question. Ensuring some additional due diligence is taken before you get down into the weeds and start using Wireshark.
- Time – This can be an easily overlooked option, however when you are analyzing packets you will want to make sure that the clocks are synchronized between all devices involved. This will help identify and track specific traffic flows and conversations that are occurring between separate capture files. Keep the timing in sync will also be quite helpful in identifying where any (if any) specific delays are occurring.
- Know the proper tool to use – Believe it or not depending on what you are trying to capture there are quite a few different tools that can be part of your arsenal. For example:
- AirPcap – This tool is used for capturing packets over wireless networks. This includes data and control frames, primarily used for Windows devices as Linux based devices already have the proper access to capture wireless control frames.
- NetShark – This is a dedicated appliance for high performance data captures. This is the ideal device to be placed within data centers or any high performance environment, and is capable of running multiple captures simultaneously.
- Packet Analyzer – Wireshark is great, however it does have its limits. That’s where SteelCentral PacketAnalyzer comes in, this application provides a platform to digest and analyzer large capture quickly, even files that are too large for Wireshark open and analyze in a timely fashion.
- Understanding the components involved – Fully understanding the problem you are attempting to troubleshoot should be the first step before you start capturing data. Having to perform multiple captures can be time consuming. So let us discuss some information to gather before beginning the capturing or analyzing:
- The problem – Understand what the problem is; is it a performance issues, login issue, or error message?
- Know the protocols involved – Once you problem defined you will want narrow down on the protocols involved. Is this a file transfer involving CIFS / SMB, could this be a login issue involving LDAP / Kerberos, or something else entirely?
- Identify the systems involved – Knowing the systems involved will help you create specific capture filters so you only capture the most desired information.
Keeping in mind the above recommendations will help you get the most out of using Wireshark in your environment or any of it’s associated tools. Troubleshooting is tough enough its time to start making it easier. Whether you are troubleshooting on the wire or over the wireless, at a small location or within a data center Wireshark will have you covered.