Category Archives: Tip

Troubleshooting the hidden dangers of TCP’s Nagle algorithm and delayed acknowledgement

As we all know, TCP/IP is a great protocol suite.  However, there are times when it can become the bottleneck.  This is especially true if you use TCP/IP for real time transactions where small data sizes are the norm (think financial institutions).  In this session, I’ll show you why Nagle algorithm and delayed acknowledgement was developed.  But more importantly, I’ll highlight the unintended consequences when the two features interact – badly – with each other.  After watching this session, you will be able to spot the hidden dangers of using TCP/IP for real time transactions.   Enjoy, and as always, I would really appreciate your feedback and suggestions. Here is the video:

And as always, any and all feedback and suggestion are welcome.  Thank you and Enjoy!

Hansang Bae

Looking forward to Sharkfest ’11

I’ve been looking over the session schedule for Sharkfest ’11. Once again Janice and Sheri have created an event which guarantees a wealth of knowledge and insight for everyone attending.

What to expect

Sharkfest is small. This is on purpose. We limit the size of the conference in order to allow more one-on-one communication between the attendees and presenters.

It has a high knowledge density. Our strategy is to gather together a bunch of people who are excited about Wireshark and protocol analysis, and know what the heck they’re talking about. We do our best to make sure the presentations focus on usable information with a minimum of fluff.

How to get the most out of Sharkfest

Sharkfest is active, not passive. Mingle. Compare notes. Many of the attendees are Wireshark power users, but many are not. Everyone has something insightful to share. The worst thing you can do is keep to yourself.

For the past three years I’ve had the opportunity to witness the top people in protocol analysis exchanging and sharing ideas. I look forward to seeing the same thing this year. See you there.

Running Wireshark as You

Running Wireshark on Linux involves an interesting challenge1: Capturing packets requires root access, but Wireshark is big program and we strongly recommend against running it with elevated privileges. On Linux it’s common to see Wireshark running as root, but this is nearly unheard for similarly-sized applications like Firefox and GIMP. How can we avoid running Wireshark as root? Continue reading

Holiday Gift Opening Tip

This is a blister pack:

blister pack

We take gift-giving safety seriously here at the CACE Technologies World Domination Headquarters.

These are aviation shears:

aviation shears

This is what you can do to a blister pack in just a few seconds using aviation shears:


The shears were designed to cut sheet metal. They go through annoying packaging with precision and ease. You know those scissors that can cut through a penny? Aviation shears can cut through a penny and through those scissors.

They’re the best thing I’ve found so far for the job.

Javascript Background Animation

The Windows 7 taskbar does this nifty little background animation when you mouse over an open application’s icon. I wanted to see if the effect could be duplicated on a web page.

Suppose we have a couple of inline elements:

  <img class="bgmove" src="wsbadge-empty.png">

  <span class="bgmove">Packets!</span>

The image is mostly transparent:


We have a background that’s slightly larger than our elements, which lets us position it using negative offsets:


.bgmove {
  background-image: url('wsbadge-bg.png');
  background-repeat: no-repeat;
  background-position: -50px -20px;

jQuery lets us do two important things: track mouse motion and determine an element’s dimensions. This lets us shift the backround around when we mouse over each element:

  $("div img.bgmove").pngFix();
    var elWidth = $(;
    var elHeight = $(;
    var bgWidth = 279;
    var bgHeight = 95;
    var x = e.pageX - this.offsetLeft;
    var y = e.pageY - this.offsetTop;
    //var offX = -1 * (x * (bgWidth - elWidth) / elWidth);  // Against the mouse
    var offX = (x * (bgWidth - elWidth) / elWidth) - (bgWidth - elWidth);  // With the mouse
    var offY = -1 * (y * (bgHeight - elHeight) / elHeight); // Against the mouse
    //var offY = (y * (bgHeight - elHeight) / elHeight) - (bgHeight - elHeight);  // With the mouse
    bgPos = offX + 'px ' + offY + 'px'; = bgPos;

You can see it all in action on the demo page. Combining this with jQuery animation is left as an exercise for the reader. The effect works in Firefox, Safari, Chrome, and IE 7+. IE 6 has trouble with the transparent PNG.

Debugging SSL Servers Over IPv6

An old-school method of debugging TCP-based services is to use telnet:

$ telnet 80
Connected to
Escape character is '^]'.

HTTP/1.1 200 OK
Date: Fri, 16 Oct 2009 19:31:47 GMT
Server: Apache
Accept-Ranges: bytes
Cache-Control: max-age=3600
Vary: Accept-Encoding
X-Slogan: Be good. You never know who's running Wireshark nearby.
Content-Length: 9628
Connection: close
Content-Type: text/html

Connection closed by foreign host.

It’s like giving your web server a big ol’ hug.

Most telnet clients do something very clever here. If you connect to a port other than 23 (or whatever getservbyname returns when you feed it “telnet”) they will disable telnet protocol negotiation and switch to line mode. This gives you a raw, line-based connection which is just the thing you need to interact with an HTTP, POP, IMAP, FTP, or NNTP server.

Adding SSL and IPv6 to the mix complicates things. I’m in the process of making Wireshark’s public-facing services available over IPv6. It would be helpful to be able to test connectivity to each service before adding its corresponding AAAA record. Standard telnet clients support 6, but not SSL. OpenSSL’s s_client command speaks SSL, but not over IPv6 (not on my systems, at least):

$ openssl s_client -connect '[2607:f0d0:2001:e:1::123]:443'
getservbyname failure for f0d0:2001:e:1::123]:443
$ openssl s_client -connect
gethostbyname failure

Luckily Fyodor released Nmap 5 a while back. Nmap 5 includes ncat, which lets you connect over SSL+IPv6. It is now my new favorite service-poking utility.

$ ncat -6 --ssl -v 2607:f0d0:2001:e:1::123 443
Ncat version 5.00 ( )
SSL connection to 2607:f0d0:2001:e:1::123:443.
SHA-1 fingerprint: F6BA 2EE9 DEEF 74D3 B4B0 86D7 F5DB 6237 FF7F 896A
HEAD /bugzilla/ HTTP/1.0

HTTP/1.1 200 OK
Date: Fri, 16 Oct 2009 20:26:23 GMT
Server: Apache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

On many Linux distributions you can also use telnet-ssl:

telnet-ssl -z ssl 2607:f0d0:2001:e:1::123 443

Capture Filters and Offsets

A couple of questions have come up on the wireshark-users mailing list recently about using capture filters for MPLS and VLANs. Each user was having the same problem yet these are different network technologies — what do they have to do with each other?

The answer is offsets.

Let’s take an up-close and personal look at the capture filter “ip src host”. We can do this by running tcpdump -d, which takes a filter, compiles it, and dumps out the result. The dump of our filter looks like this:

(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 5
(002) ld       [26]
(003) jeq      #0xa102030       jt 4    jf 5
(004) ret      #96
(005) ret      #0

If this makes no sense don’t worry. You just need to know that the first two lines look for the IP ethertype (0x800) starting at byte 12 and the next two lines look for the IP address (0xa102030) starting at byte 26. This is the minimum amount of checking required for that capture filter if you’re running IP over Ethernet.

What happens if you’re using 802.1q? Continue reading

Wireshark’s Welcome Screen

Wireshark 1.2 added a nifty welcome screen which lets you start capturing, load a capture file, get help, and lots of other things. At the very top of the screen we brag about our popularity.

You can change that message to anything you like.

Continue reading

This entry was posted in Tip.

Filtering DSCP

The second byte in the IPv4 header (aka “those bits you’ve probably never, ever looked at”) is used for Differentiated Services, or DiffServ. It’s split into two parts: the 6 most significant bits define the DSCP (differentiated services code point) and the two least significant bits are for ECN (explicit congestion notification). You can use DSCP to divide your traffic into different classes. For example, Asterisk might use the following DiffServ value, which corresponds EF (Expedited Forwarding):


If your networking equipment is sufficiently aware, this traffic will receive preferential treatment.

You can filter these values pretty easily using the ip.dsfield.dscp display filter — just right-click on the DSCP field in the packet like so:

Applying a DSCP display filter

Applying a DSCP display filter

What if you need to use DSCP in a capture filter? Continue reading

Missing Packets and Chimnies

You’ve just fired up Wireshark on your Windows Server 2003 or 2008 system and you’re not seeing nearly the amount of traffic you should. What’s happening?

The Windows Server 2003 Scalable Networking Pack introduced a feature called TCP Chimney Offload. Chimney offloading lets the OS networking stack hand off established TCP connections to the NIC for processing. This frees up the CPU, bus, and memory for other things and lets you scale up the number of connections you can handle. Hooray! Once the OS hands a connection off to the NIC, that traffic completely bypasses WinPcap and therefore doesn’t show up in Wireshark. You see the TCP connection setup and non-TCP traffic but no TCP data. Oops.

How do you fix the problem? It depends on your environment.

You can disable chimney offloading as described in KB 91222 (Server 2003) or KB 951037 (Server 2008). If you have a gigabit NIC you can probably get away with leaving it disabled. If you have a 10 gig NIC this might affect your performance. You can also SPAN or tap in and capture on an external machine, assuming you’re sufficiently equipped.