Wireshark Tutorial Series. Tips and tricks used by insiders and veterans
For those of you who have attended Sharkfest in the past, you already know that protocol analysis is near and dear to my heart. It’s also a field where experience and art still matter. As great as Wireshark is as a tool, it still takes coaxing by an analyst to ferret out root cause. And as networks and applications become more complex, keeping up will be challenging.
But the one thing that I noticed over the years is that people rush to install sniffers without really thinking about it. It’s almost as if people expect sniffers to magically spit out the root cause, served on a silver platter! In reality, it takes fair amount of protocol and application knowledge to truly bring a tool like Wireshark to bear.
I started posting to this blog so that I can help budding protocol analysts and perhaps show interesting tricks-of-the-trade to veteran users. To become good in this field, it takes a fair amount of practice. It takes practice to know how to capture the right data, where to capture the data, what filters to use, and how to interpret the data.
Sharkfest ’12 Recap
Categories:
Announcement
The fifth annual Sharkfest wrapped up a couple of days ago. You are no doubt feeling terrible if you missed it. Don’t despair, you can find a retrospective at the Sharkfest web site. The events team tried to make sure each session was recorded so we should have videos to go along with the slides soon.
As usual I wanted to attend more presentations than physics allowed but unfortunately missed some, so I’m waiting for the retrospective videos along with everyone else. (Hansang Bae observed that this is one of the few conferences where presenters attend other sessions.) Here are some quick notes about the sessions I was able to attend:
Monday’s keynote was delivered by Cliff Stoll. He kept insisting that he didn’t have much to say while simultaneously delivering an informative and entertaining talk.
Steve Riley provided a lot of insights into cloud computing: how it’s changing computing and how it can best be utilized.
Loris Degioanni (aka my boss) gave a great presentation on the new platform API that some people have been working on here at Riverbed.
Wireshark and Pcap-ng
When Wireshark 1.8.0 is released in the next few months it will introduce two major features: the ability to capture from multiple interfaces at once and the ability to annotate packets. These features have been on the wishlist for years and they will make Wireshark much more useful. They both share dependency on pcap-ng.
Packet comment example Pcap-ng is Wireshark’s new default file format. It is more complex than its predecessor (pcap) but it’s also more flexible. Along with multiple interface types and annotations you can store host information, extended interface information, and much more. Wireshark has had basic support for pcap-ng for several years now and 1.8.0 will bring it to the forefront.
But there’s a catch. Suppose you sit down at a computer with Wireshark 1.7 or 1.8 installed. What file format will Wireshark use by default? Unfortunately the answer is “It depends.” If this is a fresh install of Wireshark on a new computer you’ll get pcap-ng files. If this is an upgrade from 1.6 or below you’ll get pcap files. If the preferences were changed or copied from another machine the default format will be affected as well.
Recent Posts
- Those Aren't Packets: How Stratoshark Brings the Power of Wireshark to the Cloud
- What’s New In Wireshark 4.4?
- From Network Packets to Log Data: How Logray built upon Falco’s foundation
- The evolution of system introspection from BPF to Wireshark to Falco
- Wireshark Is 25: The email that started it all and the lessons learned along the way