The Official Wireshark Blog

More Shark Pictures

Categories: Pictures
Wireshark power user Joan Snelders sent in a couple of shark pictures: Shark candy More shark candy Thanks, Joan! Comments 🔗Comment by Ro on 2009-10-18 07:16:26 +0000 🔗– Hey fellows, Attached is the link of another great shark user ! http://www.flickr.com/photos/43707902@N04/sets/72157622485731109/ -R PS : Feel free to put photos on the site

Filtering DSCP

Categories: Protocols Tip

The second byte in the IPv4 header (aka “those bits you’ve probably never, ever looked at”) is used for Differentiated Services, or DiffServ. It’s split into two parts: the 6 most significant bits define the DSCP (differentiated services code point) and the two least significant bits are for ECN (explicit congestion notification). You can use DSCP to divide your traffic into different classes. For example, Asterisk might use the following DiffServ value, which corresponds EF (Expedited Forwarding):

DSCP  ECN
10111000

If your networking equipment is sufficiently aware, this traffic will receive preferential treatment.

You can filter these values pretty easily using the ip.dsfield.dscp display filter — just right-click on the DSCP field in the packet like so:

Applying a DSCP display filter

Applying a DSCP display filter

What if you need to use DSCP in a capture filter?

Missing Packets and Chimnies

Categories: Tip
You’ve just fired up Wireshark on your Windows Server 2003 or 2008 system and you’re not seeing nearly the amount of traffic you should. What’s happening? The Windows Server 2003 Scalable Networking Pack introduced a feature called TCP Chimney Offload. Chimney offloading lets the OS networking stack hand off established TCP connections to the NIC for processing. This frees up the CPU, bus, and memory for other things and lets you scale up the number of connections you can handle. Hooray! Once the OS hands a connection off to the NIC, that traffic completely bypasses WinPcap and therefore doesn’t show up in Wireshark. You see the TCP connection setup and non-TCP traffic but no TCP data. Oops. How do you fix the problem? It depends on your environment. You can disable chimney offloading as described in KB 91222 (Server 2003) or KB 951037 (Server 2008). If you have a gigabit NIC you can probably get away with leaving it disabled. If you have a 10 gig NIC this might affect your performance. You can also SPAN or tap in and capture on an external machine, assuming you’re sufficiently equipped.