Wireshark's a Killer App for Packet Hunting

By Brian Proffitt | Nov 9, 2010 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3912336/Wiresharks--a-Killer-App-for-Packet-Hunting.htm

Network traffic analysis is often a painstaking and mind-numbing task. It's the kind of detective work that that -- unless your brain is really wired for it -- can soak up a lot of time and energy looking for problems that might be affecting your network. With this in mind, it's important to have some really good tools on hand for those times you need to dive into the guts of your network.

One universally praised tool is Wireshark, a network packet analysis tool that is at once an old and new tool combined. The explanation for this seeming contradiction lies in the origins of Wireshark as Ethereal in 1997. The journey to the first 1.0 release of Ethereal, which became Wireshark in 2006, took over ten years: Wireshark 1.0 came out in 2008.

Don't equate this long journey with any sense of incompleteness about this tool; Wireshark, like Ethereal before it, is largely considered the de facto tool for network analysis by most network and system admins.

The biggest advantage of Wireshark, thanks to its open source provenance, is the sheer number of networking protocols it can monitor: nearly 900 protocol types and rising. This makes Wireshark extremely versatile, since it can not only monitor common protocols like TCP/IP, but also oddball ones like Homeplug and Camel.

Installing Wireshark

Most Linux users will have Wireshark available as a package in their primary repositories, so installing it for a Linux distribution is easy. Installing the Windows package will require you also have the WinPcap capture driver, though these days this app is included in the Wireshark install package and you don't have to install it separately. OS X users can download and install the app from Wireshark, as well.

We're usually pretty much past the stage where we should have to list hardware requirements for installing any application, but this case is the exception: to get the best use from Wireshark, you will often have to go install it on the machine that's reporting the problem. Which means, depending on the age of your network, you could actually bump up against these requirements:

  • 400-MHz or more processor
  • 60 Mb of storage
  • A NIC with promiscuous mode

(Though honestly, if you have someone complaining of network lag from a machine with less than 400 MHz of horsepower under the hood, that may be the problem right there.)

More likely to be a speed bump is the storage issue (though again, not too likely), and having the right kind of network interface card. It needs to be in promiscuous mode so Wireshark can see all the network packets, not just the ones intended for the machine from which Wireshark is capturing information.

There are ways around even these limitations. If multiple users on a network are reporting the same issue, installing and running Wireshark from any machine in that network will give you the same results, so you can pick and choose the best machine to run Wireshark. If it's a single machine giving you fits, you can hub out the problem design by plugging it into a network hub along with your analysis machine. This will let you monitor the traffic on the problem system as if Wireshark were installed on the system itself.

Once you get Wireshark up and running on the target machine, just click the Capture | Interfaces menu command to open the Capture Interfaces dialog box. There you should see all of the interfaces on the machine that Wireshark can track--even USB ports. If you don't see anything, you may not be running Wireshark with administrative privileges.

If you don't have that capability, you can stop what you're doing, since you shouldn't be monitoring packets on any system/network on which you don't have administrative rights. If you are running as an admin, and still don't see a proper interface, you may have just found the problem: you need to fix a hardware or driver issue on the machine.

Click Start to begin a live capture session, and let the capturing begin. If you want to define how long the capture session is, or what filters should be applied to the information, click the Options button first to set this up.

Reading the results

When the capture session is complete, Wireshark presents the information in a three-pane interface. The top pane is the packet list pane, which lists all of the packets in the capture session. Each packet is numbered and assigned a time based on when the session started. You will also see the source and destination of the packet, the protocol used, and any information Wireshark gleaned about the packet, such as port information.

Click on any of the packet in the packet list and you will see more information about the packet in the second pane, packet details. Here you can drill down into all of the information about the packet Wireshark collected.

The final pane at the bottom, known as the packet bytes pane, has all of the information found in the packet details pane, only in a completely raw format that most humans can't read. Still, sometimes deep analysis needs this data, so it's there if you want it.

What's nice about Wireshark are the features that are user friendly, like the color-coding provided by Wireshark in the packet list. This may seem a trivial thing, but this sort of notation is very useful to spot oddities in a capture session. The green-on-black color scheme for ICMP errors, for instance, clued me in to the various computers in Georgia and Russia that are port scanning my system (to no avail).

Whole books have been written about using Wireshark for network analysis (I recommend Sanders' Practical Packet Analysis as a very good guide to set up and strategy), so I'll defer to those for in-depth analysis. Important general strategies include:

  • Wireshark only captures packets. As cool as this tool is, it only monitors packets across the network, and as such is not a complete traffic analysis tool. Other tools like Iperf and monitoring apps like Nagios should be part of a complete, balanced toolkit.
  • Learn to filter. Wireshark will grab all the packet information it sees, but even with a few-minutes' interval, that can be a lot of data to parse. Apply filters to your capture sessions so you can weed out the "normal" traffic and be able to see the unusual stuff faster.
  • Understand errors. The Internet (and your network) are not perfect systems, and errors creep in all of the time. Learn about the errors Wireshark will generate in its packet list and make an effort to discover which errors are "routine." It will save you a lot of stress in the long run.

Wireshark may not be able to handle all of your network analysis needs, but it is probably the first tool you should turn to when starting any analytical task. The ease-of-use and sheer amount of data it can gather make it well worth learning.


Brian Proffitt is a Linux, Open Source, and technology expert who writes for a number of online publications. Formerly the Community Manager for Linux.com and the Linux Foundation, he is the author of 20 technical/consumer books, including the recent Take Your iPad to Work. Follow him on Twitter @TheTechScribe.