Tag Archives: capture

Running Wireshark as You

Running Wireshark on Linux involves an interesting challenge1: Capturing packets requires root access, but Wireshark is big program and we strongly recommend against running it with elevated privileges. On Linux it’s common to see Wireshark running as root, but this is nearly unheard for similarly-sized applications like Firefox and GIMP. How can we avoid running Wireshark as root? Continue reading

Capture Filters and Offsets

A couple of questions have come up on the wireshark-users mailing list recently about using capture filters for MPLS and VLANs. Each user was having the same problem yet these are different network technologies — what do they have to do with each other?

The answer is offsets.

Let’s take an up-close and personal look at the capture filter “ip src host”. We can do this by running tcpdump -d, which takes a filter, compiles it, and dumps out the result. The dump of our filter looks like this:

(000) ldh      [12]
(001) jeq      #0x800           jt 2    jf 5
(002) ld       [26]
(003) jeq      #0xa102030       jt 4    jf 5
(004) ret      #96
(005) ret      #0

If this makes no sense don’t worry. You just need to know that the first two lines look for the IP ethertype (0x800) starting at byte 12 and the next two lines look for the IP address (0xa102030) starting at byte 26. This is the minimum amount of checking required for that capture filter if you’re running IP over Ethernet.

What happens if you’re using 802.1q? Continue reading

Missing Packets and Chimnies

You’ve just fired up Wireshark on your Windows Server 2003 or 2008 system and you’re not seeing nearly the amount of traffic you should. What’s happening?

The Windows Server 2003 Scalable Networking Pack introduced a feature called TCP Chimney Offload. Chimney offloading lets the OS networking stack hand off established TCP connections to the NIC for processing. This frees up the CPU, bus, and memory for other things and lets you scale up the number of connections you can handle. Hooray! Once the OS hands a connection off to the NIC, that traffic completely bypasses WinPcap and therefore doesn’t show up in Wireshark. You see the TCP connection setup and non-TCP traffic but no TCP data. Oops.

How do you fix the problem? It depends on your environment.

You can disable chimney offloading as described in KB 91222 (Server 2003) or KB 951037 (Server 2008). If you have a gigabit NIC you can probably get away with leaving it disabled. If you have a 10 gig NIC this might affect your performance. You can also SPAN or tap in and capture on an external machine, assuming you’re sufficiently equipped.