Category Archives: Infrastructure

Wireshark Tutorial Series. Tips and tricks used by insiders and veterans

For those of you who have attended Sharkfest in the past, you already know that protocol analysis is near and dear to my heart. It’s also a field where experience and art still matter. As great as Wireshark is as a tool, it still takes coaxing by an analyst to ferret out root cause. And as networks and applications become more complex, keeping up will be challenging.

But the one thing that I noticed over the years is that people rush to install sniffers without really thinking about it. It’s almost as if people expect sniffers to magically spit out the root cause, served on a silver platter! In reality, it takes fair amount of protocol and application knowledge to truly bring a tool like Wireshark to bear.

I started posting to this blog so that I can help budding protocol analysts and perhaps show interesting tricks-of-the-trade to veteran users. To become good in this field, it takes a fair amount of practice. It takes practice to know how to capture the right data, where to capture the data, what filters to use, and how to interpret the data. So how do you go about getting started? First, you can watch the accompanying video/tutorial session (see below for the link.) Next, make sure you setup your Wireshark in a consistent manner – the video tutorial covers this.

Ever wonder how router jockeys like me can scroll through a “sho run” output so quickly? It’s because I’ve done it for so long that the eyes are trained to filter out unneeded information. That’s the key to training – knowing what to filter out so your brain can get to work on the important stuff. It turns out protocol analysis works the same way. You have to train your brain to filter out the noise. Setting up your Wireshark environment will go a long way to maximizing productivity.

There is no “right way” to setup Wireshark. There’s only “my way” and everyone else’s – by definition – is wrong! Some like destination address to be the first column just like in DOS Sniffer. Others prefer using Wireshark’s default order. Whatever your style is, make sure it’s consistent. And if you’re just starting out, perhaps you can benefit from my setup. Even Anthony Bourdain in his book “Kitchen Confidential” talks about “mise-en-place.” It’s a term used by chefs and signifies how the cooking stations are setup. It’s important because it makes them more productive. For the same reason, you need to develop your own Wireshark mise-en-place!

If you still have not modified the default layout of Wireshark, you’re definitely missing out. In the video, I’m going to help you setup Wireshark so that you can become more productive. And we’re going to embark on a journey where I show you all the secrets to protocol analysis. I’m like the “magicians’ tricks revealed” guy. I’m going to help make you a rock star – where protocol analysis is concerned – in your company. If you’re an industry veteran, don’t be alarmed. The first few sessions are geared towards beginners so they can catch up. After that, I promise you that we’ll be in the weeds!

Hope you enjoy it, and I’d love to hear your comments. You can reach me at [email protected]

Used Cars and Stub Installers

The Wireshark development team works hard to earn the respect of our users. This includes making sure that downloading and installing Wireshark is as easy and trouble-free as possible. Right now the vast majority of our users can go to www.wireshark.org, follow the big green arrows, and immediately download the appropriate Wireshark package for their platform.

For many years a number of third party sites have also offered Wireshark downloads. Typing “wireshark download” into your favorite search engine will turn up a bunch of them, usually just below links to wireshark.org. These sites are popular and often provide valuable services such as reviews and malware prescreening. They also reside outside the Wireshark ecosystem — we don’t link to them and aren’t affiliated with any of them.

"This is the Cadillac of invasive toolbars at a Chevy price!"

Sometimes these sites abuse their relationship with their users. For example a few months ago Download.com started using a stub installer which tries to get you to install various toolbars and who-knows-what-else before it installs the package you ultimately want, much like a sleazy car salesman trying to bundle add-ons you don’t want or need.

This sort of bottom-feeding behavior is harmful to our user community and exploits the goodwill we have with our users. Brian Krebs and Gordon “Fyodor” Lyon describe the problem with much more depth and eloquence than I can.

I sent a request to Download.com to disable their stub installer for Wireshark. They complied, but there are dozens of other download sites. Trying to keep tabs on all of them would result in a never-ending game of Whac-A-Mole®.

On behalf of the Wireshark development team I promise to provide easily accessible, direct downloads of Wireshark from wireshark.org just as we always have. If you choose to download Wireshark somewhere else we can’t guarantee that the experience will be free of shenanigans so please be careful.

We’re not Participating in World IPv6 Day. Mostly.

Tomorrow is World IPv6 Day, the largest full-frontal test of IPv6 to date. It is going to be a historic event. It’s also one in which wireshark.org will and won’t be participating.

In one sense every day is IPv6 day here and tomorrow will be just another day. Most of our web sites (anonsvn, ask, this blog, bugs, buildbot, sharkfest, and wiki) have been fully dual-stacked for some time. You can reach them over both IPv4 and IPv6 and so far it’s been working pretty well. The big exception to this is the main web site, which still only has an A record. We can add an AAAA record at any time, but I’ve been holding off doing so until well *after* World IPv6 Day.

My concern is that having an AAAA record in place for www.wireshark.org tomorrow will cause unnecessary problems. If anyone runs into trouble reaching dual-stacked sites I don’t want to impede their ability to troubleshoot the problem by making Wireshark difficult to download.

We’ll add the AAAA record for www.wireshark.org in a few weeks.

P.S. According to the SCM revision logs IPv6 support was introduced in Wireshark in 1998. Tomorrow’s test is long overdue.

Announcing ask.wireshark.org

There have been requests over the years for an online forum for Wireshark. I’m not too crazy about traditional forums, particularly for support. You often end up digging through a lot of not-so-useful content to get to the information you’re looking for.

(If you can see where this is going and are impatient, you can go straight to the new support Q&A site now. Otherwise read on.)

Last year Jeff Atwood and Joel Spolsky started Stack Exchange, a collection of question & answer sites including Stack Overflow, Server Fault, and Super User. SE fixes everything that’s wrong with traditional form software. Useful answers can be voted up by the community, and “hot” questions are listed first.

Stack Exchange is wonderful but they require you to host your content on their servers. This is goes against my control freak sensibilities, so I had to look elsewhere for a solution. I found OSQA. The software is still beta, but it’s quite functional and becoming quite popular.

Here are some of the things you can do with OSQA:

Vote questions and answers up and down

This means that the good stuff floats to the top. Additionally the person who posted the question can select one answer as the best.

Comment on questions and answers

This lets you have a traditional forum-style linear discussion when you need it.

Tag questions

Tags let you categorize questions. For instance the python tag on Stack Overflow will give you all of the Python programming questions.

Earn karma

As you ask questions and provide helpful answers you gain karma points. This lets you do things like…

Edit content

Power users can correct, clarify, or otherwise make helpful changes to things others have posted.

Q&A sites aren’t for everyone. They tend to work best when you have a bunch of helpful, active, and knowledgeable people willing to exchange ideas in a particular field. As luck would have it this describes the Wireshark community to a tee.

Go try it for yourself at http://ask.wireshark.org.

Sharkfest ’10 Recap

Sharkfest ’10 ended a week ago today and I’m still reeling. The conference started with a keynote from Van Jacobson and ended with one from Harry Saal, two monumental figures in our industry and very nice people to boot. Attendees traveled from all over the globe, from large companies to single-person operations. The presentations were packed with information and it was great to see how experts tackle packet-level network monitoring and troubleshooting. If you missed out we’re getting the presentations online as fast as we can.

Continue reading

Wish List: Decent SVG Network Elements

Nmap 5 has a really cool feature: you can scan a network and dump its map to SVG. Inkscape is turning out to be a really nice vector drawing program.

A really useful workflow would be to combine the two:

  1. Map your network using Nmap.
  2. Tweak that map to your liking using Inkscape.
  3. Have a cool map.

Unfortunately this is a harsh, cruel world we live in. The workflow we currently have is:

  1. Map your network using Nmap.
  2. Load the map Inkscape.
  3. Search the interwebs for decent SVG network elements until you have to explain the foul language and crying to your wife.

This is something Visio is famous for (network art, not the foul language and crying). Search for “visio stencils” and you’ll be bombarded with all sorts of network shapes, from major equipment manufacturers to ones that look like crayon art. Where are all the cool SVG network elements? Quantum Bits made a nice start, but we need a lot more than that.

Does IPv6 Adoption Depend on Akamai?

The ongoing effort to switch the entire planet over to IPv6 has a chicken-and-egg problem: there is little incentive to deploy it if no one else is using it. This is expected to change as IPv4 addresses become more scarce, but for the time being uptake is dismal (in the U.S. at least).

One easy way to measure IPv6 adoption is to see how many of Alexa’s top sites have AAAA records. Hurricane Electric and Lars Eggert do a good job of this. Following in their footsteps my own version of this data is shown below:

IPv6 Adoption - Alexa top 1000

IPv6 Adoption - Alexa top 1000

It shows IPv6 adoption in Alexa’s top 1000 sites along with the number of sites using Akamai. The number of IPv6 sites is pretty small but the number of “testing” sites is encouraging. See the notes below for a detailed explanation and breakdown.

Who is Akamai? They’re a giant content and application delivery provider. Continue reading

Wireshark.org and IPv6 plumbing

Wireshark has supported IPv6 since dirt was new. Unfortunately, the wireshark.org web site has only been available over IPv4. Until now, that is. If you are IPv6-enabled, you can reach the Wireshark web site at http://ipv6.wireshark.org. Nota bene:

  • The address above is only available over IPv6.
  • The main address for the site (http://www.wireshark.org) is still IPv4-only. We’ll add an AAAA record after a suitable evaluation period.
  • Other Wireshark sites (such as the bug tracker, wiki, and buildbot) are still IPv4-only for the time being.

In order to encourage the adoption of IPv6 I think the phrases “indoor plumbing” and “outdoor plumbing” should be used to refer to native and tunneled IPv6, respectively. Once you point out that an ISP has outdoor plumbing, they’ll want to add native IPv6 support out of shame.

Examples:

  1. Wireshark.org is hosted at SoftLayer. They have indoor IPv6 plumbing.
  2. Wave Broadband is so behind the times! I’m stuck with outdoor IPv6 plumbing at home!