Based on a strange network problem recently I decided to put together some quick notes and a few tips on ways to improve your Wireshark experience based on my own experience with it. There are many, many more features that Wireshark has to offer, these just happen to be the most apparent ones I have found so far. Wireshark is extremely powerful and therefore extremely useful if used properly. At first it takes a while to get used to everything Wireshark has to offer but once you start to get the hang of how things work then it can be a great network troubleshooting tool. Basic knowledge of networking concepts should be assumed as well as familiarity of Wireshark for those who attempt to debug network problems using this tool.
Here is a list of some of the most common and handy features that you can utilize in Wireshark. I am not going to dive into great detail with most of these items because I honestly don’t have a ton of experience with all of them, I basically just wanted to point out the highlights.
- Filtering in Wireshark is very handy.
- Create custom profiles for different use cases (quickly select from bottom right hand corner).
- Color filters are useful! (Right click a field in the packet trace and selelct colorized rule) The bottom left bar will tell you what variable you are looking at to make things easier when customizing.
- Use Regex in wireshark using the “matches” clause to turn on regex patterns.
- You can extract specific information from trace files on the command line using tshark.
- Right click a packet and select “follow TCP/UDP stream” to debug a single network conversation.
- Low delta times are good. If you see high deltas you should probably investigate things.
Here are some more concrete examples and a few basics of how to put these tips into practice. In Wireshark you can use either English or code like operators when filtering to help narrow down traffic and interesting networking patterns and issues. So for example, “==” and “eq” will behave in the same manner when applying filters. Other operators include <,>, !=, <=, >=, etc. Just like you would see in a typical programming language.
Use custom configuration profiles. If you look at packet traces often this will save you a tremendous amount of time if you are looking at specific types of traffic or are only interested in certain traffic patterns. For example, you spend a lot of time looking at many traces that fit the same type of criteria; by using custom profiles you can quickly adjust and modify the view in Wireshark to help quickly identify patterns and potentially issues by cycling through different, specific views. To begin creating custom profiles go to Edit -> Configuration Profiles and then either select the custom profile or create a new one to begin changing.
One handy trick is to disable TCP offload checks. If your packet captures are getting clogged up with a bunch of red and black with offload errors, this is place you should go to look first. There are a few places where this option can either be enabled or disabled. The easiest way to check these options is under Edit -> Preferences and then under the Protocols tree for UDP, TCP and IPv4 protocols. The example below shows what the options should look like for the TCP protocol. The TCP and UDP offload checks are disabled by default but the IPv4 needs to be manually unchecked. The specific option under the IPv4 protocol is labeled “Validate the IPv4 checksum if possible”, simply uncheck this and the red and black errors should disappear.
There is a capture option that allows you to resolve IP addresses to hostname, which I find can be very useful. To enable this option open up the Show capture options screen, there should be an option in there under name resolution called “Resolve network-layer names”. Simply check that box and you should have name resolution.
As mentioned in the bullets above, the “follow UDP/TCP stream” option can be extremely useful and is a very quick way to glean information. It is so useful because it is so easy to use. Simply find a traffic conversation you would like to debug and right click the packet number in the top Wireshark pane and choose the follow UDP/TCP stream option and you can get an idea of everything that happened during a particular conversation. For example, using this technique you can follow FTP transactions.
Viewing a breakdown of the packet flow and traffic patterns can be a useful tool as well when diagnosing various network issues. There is an option in Wireshark that shows in good detail the breakdown of various packets and protocols that can be used to troubelshoot the network. This option is called Protocol Hierarchy Statistics and can be found un te Statistics -> Protocol Hierarchy Statistics page.
Only look at traffic for one IP address:
Likewise, filter out all traffic from an IP address:
!(ip.addr == x.x.x.x)
!(ip.addr == 188.8.131.52)
filter out all traffic for a specific port
!(tcp.port eq 2222)