For those of you who have attended Sharkfest in the past, you already know that protocol analysis is near and dear to my heart. It’s also a field where experience and art still matter. As great as Wireshark is as a tool, it still takes coaxing by an analyst to ferret out root cause. And as networks and applications become more complex, keeping up will be challenging.
But the one thing that I noticed over the years is that people rush to install sniffers without really thinking about it. It’s almost as if people expect sniffers to magically spit out the root cause, served on a silver platter! In reality, it takes fair amount of protocol and application knowledge to truly bring a tool like Wireshark to bear.
I started posting to this blog so that I can help budding protocol analysts and perhaps show interesting tricks-of-the-trade to veteran users. To become good in this field, it takes a fair amount of practice. It takes practice to know how to capture the right data, where to capture the data, what filters to use, and how to interpret the data. So how do you go about getting started? First, you can watch the accompanying video/tutorial session (see below for the link.) Next, make sure you setup your Wireshark in a consistent manner – the video tutorial covers this.
Ever wonder how router jockeys like me can scroll through a “sho run” output so quickly? It’s because I’ve done it for so long that the eyes are trained to filter out unneeded information. That’s the key to training – knowing what to filter out so your brain can get to work on the important stuff. It turns out protocol analysis works the same way. You have to train your brain to filter out the noise. Setting up your Wireshark environment will go a long way to maximizing productivity.
There is no “right way” to setup Wireshark. There’s only “my way” and everyone else’s – by definition – is wrong! Some like destination address to be the first column just like in DOS Sniffer. Others prefer using Wireshark’s default order. Whatever your style is, make sure it’s consistent. And if you’re just starting out, perhaps you can benefit from my setup. Even Anthony Bourdain in his book “Kitchen Confidential” talks about “mise-en-place.” It’s a term used by chefs and signifies how the cooking stations are setup. It’s important because it makes them more productive. For the same reason, you need to develop your own Wireshark mise-en-place!
If you still have not modified the default layout of Wireshark, you’re definitely missing out. In the video, I’m going to help you setup Wireshark so that you can become more productive. And we’re going to embark on a journey where I show you all the secrets to protocol analysis. I’m like the “magicians’ tricks revealed” guy. I’m going to help make you a rock star – where protocol analysis is concerned – in your company. If you’re an industry veteran, don’t be alarmed. The first few sessions are geared towards beginners so they can catch up. After that, I promise you that we’ll be in the weeds!
Hope you enjoy it, and I’d love to hear your comments. You can reach me at [email protected]
Comments 🔗
Comment by Betty DuBois on 2012-10-18 09:24:29 +0000 🔗
Great video Hansang. I’m looking forward to the next installment. Did you know you can left click on the profile name in the status bar to toggle between all of your profiles? Just another way to achieve the goal as quick as possible.
Comment by Tony Fortunato on 2012-10-19 06:28:05 +0000 🔗
very nice. I look forward to more articles
Comment by wireshark on 2012-10-19 08:55:01 +0000 🔗
is there a way with wireshark to simulate / replay website visitor ?
i would like to simulate visitor behaviour and trafic !
thanks
sebastien
Comment by Hansang Bae on 2012-10-20 18:42:03 +0000 🔗
Thanks everyone!
Betty, yes, Gerald actually pointed that out and I was going to edit the video with a popup (but must have forgotten it! 🙂
sebastien,
Wireshark will not replay the data. You’ll need something like tcpreplay (and there are other tools, just google for ‘replay pcap’)
Comment by Chris Greer on 2012-10-21 16:43:33 +0000 🔗
Hansang,
Looking forward to reading and watching your work here.
Thanks for taking the time to get this great info together.
Comment by Travis Marlette on 2012-10-30 08:25:59 +0000 🔗
I look forward to learning more from you Hangseng! Now that my wireshark is setup properly, it should go much faster.
I look forward to your future posts!
Comment by Hansang Bae on 2012-10-31 10:29:02 +0000 🔗
Travis,
Thank you, another session will be posted (hopefully) by next (Nov 10th) weekend. Hurricane Sandy made things a bit difficult – to say the least.
Comment by Alex on 2012-11-13 12:44:53 +0000 🔗
Hey there…
I downloaded the Wirshark software and it works great for viewing packets and destinations running back and forth to my laptop….but I was wondering is there a way for me to see the traffic going to other laptops on my home router….I have 2 children and am concerned who they are chatting with etc…?
Thanks for your help.
B
Comment by Alex on 2012-11-13 13:31:33 +0000 🔗
Is there anyway to capture the traffic with all laptops (3)on a home router with Wireshark?
Thanks for your help.
Alex
Comment by Hansang Bae on 2012-11-18 21:36:28 +0000 🔗
Alex,
It depends on your home router. Please see
http://www.wireshark.org/faq.html
Q 7.1: When I use Wireshark to capture packets, why do I see only packets to and from my machine, or not see all the traffic I’m expecting to see from or to the machine I’m trying to monitor?
7.2 When I capture with Wireshark, why can’t I see any TCP packets other than packets to and from my machine, even though another analyzer on the network sees those packets?
Comment by Riu on 2012-11-24 08:43:26 +0000 🔗
Great video, but i was wondering how could i send packets to test server responses to them.
Thanks for your help!
Comment by Hansang Bae on 2012-11-26 06:57:06 +0000 🔗
Riu,
You can’t use Wireshark to (re)generate traffic. There are other tools for sending packets out, but for TCP, it can get a little tricky. If you’re interested check out tcpreplay or Google’s Ostinato tool.
Comment by http://business-ethernet.com on 2012-12-02 22:24:57 +0000 🔗
When you’re looking for an Internet connection for your company, you must know a few things about the telecom world, what the different circuits are, and most of all, what is guaranteed and what it is. The marketing hype is often very deceiving, so you need to understand dedicated lines such as business Ethernet, T1 and similar. Additionally you have to know where to look for the best pricing and how to make sure it truly is reliable at the best prices possible.
Comment by bernard on 2012-12-07 15:20:48 +0000 🔗
I must be among the dumber ones. I can’t find the link to the video. Where is it?
Comment by Hansang Bae on 2012-12-07 15:24:57 +0000 🔗
Bernard, it’s the hyperlink in the final paragraph.
“If you still have not modified the default layout of Wireshark, you’re definitely missing out. In the
**> video<** , I’m ….."
Comment by Kostas on 2012-12-15 00:03:21 +0000 🔗
Very helpful! Looking forward for the next one!
Comment by Hansang Bae on 2012-12-15 14:48:09 +0000 🔗
Thank you, I’m currently working on the next set (as I type this…actually). It requires some visual explanation so I’m working through my PPT issues at the moment. LOL. I can do packet analysis, but PPT can elude me at times!
Comment by decaptcha service on 2012-12-15 19:48:28 +0000 🔗
Everyone loves what you guys are usually up too. This type of
clever work and exposure! Keep up the fantastic works guys I’ve added you guys to my own blogroll.
Comment by captcha reader on 2012-12-15 19:54:17 +0000 🔗
Hey I know this is off topic but I was wondering if you
knew of any widgets I could add to my blog that automatically tweet my newest twitter updates.
I’ve been looking for a plug-in like this for quite some time and was hoping maybe you would have some experience with something like this. Please let me know if you run into anything. I truly enjoy reading your blog and I look forward to your new updates.
Comment by captcha decoder on 2012-12-15 19:55:57 +0000 🔗
When I initially commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I get four e-mails with
the same comment. Is there any way you can remove people from that service?
Thanks a lot!
Comment by recaptcha bypass on 2012-12-15 19:58:03 +0000 🔗
When I initially commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I get several emails with
the same comment. Is there any way you can remove people from that service?
Thanks a lot!