 | |  | |  | |  | |  | |  |
All rights reserved. Protocol Analysis Institute, Inc. Privacy Contact Us
Tip #20: WLAN Retry Packets
When a WLAN ACK is not received, a retry will be triggered. Why would an ACK not be
received? Low signal strength, interference, noise... those might be some of the reasons. To
create a filter for all retry WLAN frames, expand the flags field under the Frame/Control section
of the 802.11 header. Right click on the Retry bit and select Apply a Filter > Selected. Ensure
wlan.fc.retry == 1.
Tip #19: Sorting Filters
At Open Source World I needled Gerald about this ability. You can't just click on the filters to sort
them. Sigh. So here's the trick I use. I open the filter file in a text editor, copy the text to Word and
then sort the list. You can locate your filter files by selecting Help > About > Folders - look for the
Personal Configuration information. To make things line up nicely, add spaces in front of your
display filter names - for example " TCP RST Packets" (notice the leading spaces within the
quotes - I don't add the leading spaces for titles when I group filters). If you ordered the
Wireshark Jumpstart Plus Bonus course, you received my pre-formatted, sorted filters.
Tip #18: Exporting IO Data for External Graphing
Recently, someone posed a question on Twitter: "How can we export the Wireshark bits per
second information so we can manipulate it in Excel or another spreadsheet program?" Easy!
Select Statistics > IO Graphs. Change the Y Axis to Bits/Tick and click the Copy button.
Wireshark copies the header as "interval start, graph 1" and the X, Y coordinates of the plot
points to buffer in a comma-separated value format. Save the data in a CSV file to open in
another program. If you want to compare one user's traffic to all the traffic seen, apply an
ip.addr==x.x.x.x filter for Graph 2. Select the Graph 1 and Graph 2 columns from your CSV file to
plot the data. Now you can build your own graphic images of the traffic, add trend lines and use
standard plotting functions to the data.
Tip #17: Subnet Filters
Wireshark understands CIDR (classless interdomain routing) address definitions. If you want
to create a display filter for all devices who's network address starts with 10.3, use the syntax
ip.addr==10.3.0.0/16. The "16" indicates how many of the leading bits should be matched in
the address. Use CIDR definitions when filtering on a subnet.
Tip #16: DHCP Filters
At the current time, the display filter syntax, dhcp, does not work. In order to filter on DHCP traffic
you need to use the syntax bootp. DHCP is derived from BOOTP and contains a BOOTP
header. This fouls up many Wireshark users who are new to creating display filters. Watch out.
Likewise, you cannot use "dhcp" as a capture filter - you need to create a capture filter for port
67 or port 68. In the recorded version of the Wireshark Jumpstart class, I added a Bonus
section that includes my favorite capture/display/color filters. One of my capture filters is a
passive discovery filter that looks for arp or port 67 or port 68.
Tip #15: Filtering for Illegal Ping Packets
Many network discovery tools and OS fingerprinting tools (such as Nmap, NetScanTools and
Xprobe) send out illegally-formed ping (ICMP Echo Request packets) that can be used to ID the
application in use. The display filter would be icmp.type==8 && !icmp.code==0 to find these
strange packets. This is covered in the Bonus materials added at the end of the recorded
Wireshark Jumpstart course that will be announced today at chappellseminars.com.
Tip #14: Merging Trace Files
So you've capture two (or more) trace files on different interfaces or from different hosts running
Wireshark. To merge these trace files together you can use the command line tool Mergecap
(in the Wireshark program directory) or select File > Merge in Wireshark. By default files will be
merged according to their timestamps. Use the -a parameter to merge according to the order
you list the files.
Tip #13: Sign of a Bot-Infected Host
When a host is bot-infected and planning on connecting via IRC to the C&C (Command and
Control) server, you might see a DNS query for that C&C server's name. Check out
sick-client.pcap - look at the DNS reply for bbjj.househot.com - notice the CNAME (canonical
name, or alias) entry in the DNS response field... and look at how many IP addresses are
associated with that name. Not the typical DNS response you'd expect and sign that the host
being located may be a malicious one... watch for this. Video: "Analyzing a Bot-Infected Host"
Tip #12: Wireshark's Status Bar
The Wireshark status bar is located below the main Wireshark working area. In Wireshark v1.2
we now have an Expert Info Composite button on the far left side - the color changes to indicate
the Expert level that has been detected (grey=no Expert Info; Red=Errors; Yellow=Warnings;
Light Blue=Notes).While capturing, the left side of the status bar indicates which adapter
Wireshark is capturing from, the file location and file name of the current capture, size of the file
and, after you stop the capture, the time elapsed. In the center of the status bar, Wireshark
displays the number of packets captured, displayed (useful if you have applied a display filter),
marked and packets dropped (a clear sign that Wireshark is not keeping up with traffic rates).
The right side of the status bar indicates the profile in use. You can adjust the size of the three
areas of the status bar for better viewing by clicking and dragging the column separator. Many
people leave the profile information at minimum size so they can see the entire directory/file
name of their capturing/captured trace.
Tip #11: "Fast Retransmissions"
What is the difference between a retransmission and a fast retransmission? If you've worked
with the Expert Info Composite window, you have likely seen both at times. Right now, fast
retransmissions are placed under the Warnings tab. Retransmissions are placed under the
Notes tab. Both are true retransmissions, but if the retransmission arrives within 20 ms of a
duplicate ACK it is defined as a "fast retransmission". Not all retransmissions are triggered by
duplicate ACKs however. Sometimes you'll see retransmissions that are triggered by a timeout
on the sender's side as it waits for an ACK for data sent. We treat both retransmissions and
fast retransmissions as a sign of packet loss.
Tip #10: New Time Column
In Tip 9 you learned how to change the time column to see large gaps between packets. But
what if you want to see both the default time setting and the delta time setting? Make sure the
current time column is set to View > Time Display Format > Seconds Since Beginning of
Capture. Next, in Wireshark v1.2, select Edit > Preferences > Columns > Add. Click on New
Column and give your column the name "Delta". (Click on the word "number" to the right or the
name will not stay - a bug). In the Properties area, click the arrow at the right of the Format field.
Select "Delta" and click OK. You might want to move this time column up next to the other time
column (in v1.2, just cick and drag the column up). Now you always have both the Relative and
Delta time columns available.
Tip #9: Best Time Setting for Troubleshooting
When users complain about poor network performance, capture their traffic (from as close to
their systems as possible so you get round trip time values from their perspective). Set the
Time column value to show you from the end of one packet to the end of the next packet by
selecting View > Time Display Format > Seconds Since Previously Displayed Packet. Now you
can sort this column to see where there are large gaps in time in the trace file. Watch a demo
(MP4-4MB)
Tip #8: Tshark Interface Selection
Tshark is the command-line capture tool that comes with Wireshark (look in the Wireshark
program directory and consider adding this directory to your path so you can run Tshark from
your trace file directory). Type tshark -D (must be a capital "D") to view the interface list. If you
want to capture traffic on the third interface listed, you would use tshark -i 3 (the "i"
parameter indicates the interface number you want to capture on). Watch a demo (MP4-5MB) .
POWER USER Tip #7: Terabyte Tshark Captures
Special thanks to John Bullock for this hot tip!
"Run tshark as a service with something like this in the registry - c:\program
files\wireshark\tshark.exe -i 3 -b filesize:100000 -b files:8800 -n
-w d:\pktcap\wan.cap. With terabyte drives so cheap, I decided to put a machine on the
uplink for each of our networks that keeps a rolling capture of the last 800G or so of traffic. So,
now when a security system barks at me, I can go find the packets and investigate."
Tip #6: Packet Loss Location
Wondering if the original TCP packet and the retransmission are both sitting in that slop of a
trace file? In the details pane of the TCP retransmission packet, expand the TCP header and
right click on the TCP Sequence Number field. Select Apply as Filter > Selected. The filter syntax
is tcp.seq == [number]. If you see both the original packet AND the retransmission, you are
upstream (closer to the sender) from the point of packet loss. If you only see the
retransmission, the original packet was already lost. The point of packet loss is downstream
(closer to the receiver) than where you are located.
Tip #5: Signatures
Always look at the payload of ICMP Echo Request (ping) packets to see if there is a signature
for the application running sending the ICMP Echo Request. In pingsigs.pcap we see the
alphabet-only-up-to-w signature used by MS Windows hosts and, in packet 9, we see the
Sniffer ping tool signature - which is a nod to it's creator, Cinco.
Tip #4: Accelerator Key
Use Ctrl+down arrow when you have selected a packet in the detail pane and want to scroll
through several packets while keeping the focus in the detail pane.
Tip #3: File Sets
In the Capture Options window, save to multiple files. Just open one of the files and now use
File > File Set > List Files to quickly move between them.
Tip #2: Splitting Trace Files
To split a large trace file into multiple files, use editcap -c [number of packets per
file] <infile> <outfile>. For example, editcap -c 10000 fattrace.pcap
smaller.pcap will split fattrace.pcap into trace files containing 10,000 packets (or fewer on the
last trace of the set) with names starting with smaller.pcap. The file number is appended as
-00000, -00001, -00002, etc. after the .pcap extension.
Tip #1: Capture Filter
Create a "Not Me" capture filter to ensure your own traffic isn't captured when analyzing other
device's traffic. Use the syntax not ether host 00:21:97:40:74:d2 (with your MAC
address, of course). Also consider making a "Just Me" capture filter to view only your traffic
when analyzing an application on your own system.
Tip #0: Free Wireshark Live Online Seminars
You like tips? Check online at www.chappellseminars.com to register for the free Wireshark
live online seminar.
When a WLAN ACK is not received, a retry will be triggered. Why would an ACK not be
received? Low signal strength, interference, noise... those might be some of the reasons. To
create a filter for all retry WLAN frames, expand the flags field under the Frame/Control section
of the 802.11 header. Right click on the Retry bit and select Apply a Filter > Selected. Ensure
wlan.fc.retry == 1.
Tip #19: Sorting Filters
At Open Source World I needled Gerald about this ability. You can't just click on the filters to sort
them. Sigh. So here's the trick I use. I open the filter file in a text editor, copy the text to Word and
then sort the list. You can locate your filter files by selecting Help > About > Folders - look for the
Personal Configuration information. To make things line up nicely, add spaces in front of your
display filter names - for example " TCP RST Packets" (notice the leading spaces within the
quotes - I don't add the leading spaces for titles when I group filters). If you ordered the
Wireshark Jumpstart Plus Bonus course, you received my pre-formatted, sorted filters.
Tip #18: Exporting IO Data for External Graphing
Recently, someone posed a question on Twitter: "How can we export the Wireshark bits per
second information so we can manipulate it in Excel or another spreadsheet program?" Easy!
Select Statistics > IO Graphs. Change the Y Axis to Bits/Tick and click the Copy button.
Wireshark copies the header as "interval start, graph 1" and the X, Y coordinates of the plot
points to buffer in a comma-separated value format. Save the data in a CSV file to open in
another program. If you want to compare one user's traffic to all the traffic seen, apply an
ip.addr==x.x.x.x filter for Graph 2. Select the Graph 1 and Graph 2 columns from your CSV file to
plot the data. Now you can build your own graphic images of the traffic, add trend lines and use
standard plotting functions to the data.
Tip #17: Subnet Filters
Wireshark understands CIDR (classless interdomain routing) address definitions. If you want
to create a display filter for all devices who's network address starts with 10.3, use the syntax
ip.addr==10.3.0.0/16. The "16" indicates how many of the leading bits should be matched in
the address. Use CIDR definitions when filtering on a subnet.
Tip #16: DHCP Filters
At the current time, the display filter syntax, dhcp, does not work. In order to filter on DHCP traffic
you need to use the syntax bootp. DHCP is derived from BOOTP and contains a BOOTP
header. This fouls up many Wireshark users who are new to creating display filters. Watch out.
Likewise, you cannot use "dhcp" as a capture filter - you need to create a capture filter for port
67 or port 68. In the recorded version of the Wireshark Jumpstart class, I added a Bonus
section that includes my favorite capture/display/color filters. One of my capture filters is a
passive discovery filter that looks for arp or port 67 or port 68.
Tip #15: Filtering for Illegal Ping Packets
Many network discovery tools and OS fingerprinting tools (such as Nmap, NetScanTools and
Xprobe) send out illegally-formed ping (ICMP Echo Request packets) that can be used to ID the
application in use. The display filter would be icmp.type==8 && !icmp.code==0 to find these
strange packets. This is covered in the Bonus materials added at the end of the recorded
Wireshark Jumpstart course that will be announced today at chappellseminars.com.
Tip #14: Merging Trace Files
So you've capture two (or more) trace files on different interfaces or from different hosts running
Wireshark. To merge these trace files together you can use the command line tool Mergecap
(in the Wireshark program directory) or select File > Merge in Wireshark. By default files will be
merged according to their timestamps. Use the -a parameter to merge according to the order
you list the files.
Tip #13: Sign of a Bot-Infected Host
When a host is bot-infected and planning on connecting via IRC to the C&C (Command and
Control) server, you might see a DNS query for that C&C server's name. Check out
sick-client.pcap - look at the DNS reply for bbjj.househot.com - notice the CNAME (canonical
name, or alias) entry in the DNS response field... and look at how many IP addresses are
associated with that name. Not the typical DNS response you'd expect and sign that the host
being located may be a malicious one... watch for this. Video: "Analyzing a Bot-Infected Host"
Tip #12: Wireshark's Status Bar
The Wireshark status bar is located below the main Wireshark working area. In Wireshark v1.2
we now have an Expert Info Composite button on the far left side - the color changes to indicate
the Expert level that has been detected (grey=no Expert Info; Red=Errors; Yellow=Warnings;
Light Blue=Notes).While capturing, the left side of the status bar indicates which adapter
Wireshark is capturing from, the file location and file name of the current capture, size of the file
and, after you stop the capture, the time elapsed. In the center of the status bar, Wireshark
displays the number of packets captured, displayed (useful if you have applied a display filter),
marked and packets dropped (a clear sign that Wireshark is not keeping up with traffic rates).
The right side of the status bar indicates the profile in use. You can adjust the size of the three
areas of the status bar for better viewing by clicking and dragging the column separator. Many
people leave the profile information at minimum size so they can see the entire directory/file
name of their capturing/captured trace.
Tip #11: "Fast Retransmissions"
What is the difference between a retransmission and a fast retransmission? If you've worked
with the Expert Info Composite window, you have likely seen both at times. Right now, fast
retransmissions are placed under the Warnings tab. Retransmissions are placed under the
Notes tab. Both are true retransmissions, but if the retransmission arrives within 20 ms of a
duplicate ACK it is defined as a "fast retransmission". Not all retransmissions are triggered by
duplicate ACKs however. Sometimes you'll see retransmissions that are triggered by a timeout
on the sender's side as it waits for an ACK for data sent. We treat both retransmissions and
fast retransmissions as a sign of packet loss.
Tip #10: New Time Column
In Tip 9 you learned how to change the time column to see large gaps between packets. But
what if you want to see both the default time setting and the delta time setting? Make sure the
current time column is set to View > Time Display Format > Seconds Since Beginning of
Capture. Next, in Wireshark v1.2, select Edit > Preferences > Columns > Add. Click on New
Column and give your column the name "Delta". (Click on the word "number" to the right or the
name will not stay - a bug). In the Properties area, click the arrow at the right of the Format field.
Select "Delta" and click OK. You might want to move this time column up next to the other time
column (in v1.2, just cick and drag the column up). Now you always have both the Relative and
Delta time columns available.
Tip #9: Best Time Setting for Troubleshooting
When users complain about poor network performance, capture their traffic (from as close to
their systems as possible so you get round trip time values from their perspective). Set the
Time column value to show you from the end of one packet to the end of the next packet by
selecting View > Time Display Format > Seconds Since Previously Displayed Packet. Now you
can sort this column to see where there are large gaps in time in the trace file. Watch a demo
(MP4-4MB)
Tip #8: Tshark Interface Selection
Tshark is the command-line capture tool that comes with Wireshark (look in the Wireshark
program directory and consider adding this directory to your path so you can run Tshark from
your trace file directory). Type tshark -D (must be a capital "D") to view the interface list. If you
want to capture traffic on the third interface listed, you would use tshark -i 3 (the "i"
parameter indicates the interface number you want to capture on). Watch a demo (MP4-5MB) .
POWER USER Tip #7: Terabyte Tshark Captures
Special thanks to John Bullock for this hot tip!
"Run tshark as a service with something like this in the registry - c:\program
files\wireshark\tshark.exe -i 3 -b filesize:100000 -b files:8800 -n
-w d:\pktcap\wan.cap. With terabyte drives so cheap, I decided to put a machine on the
uplink for each of our networks that keeps a rolling capture of the last 800G or so of traffic. So,
now when a security system barks at me, I can go find the packets and investigate."
Tip #6: Packet Loss Location
Wondering if the original TCP packet and the retransmission are both sitting in that slop of a
trace file? In the details pane of the TCP retransmission packet, expand the TCP header and
right click on the TCP Sequence Number field. Select Apply as Filter > Selected. The filter syntax
is tcp.seq == [number]. If you see both the original packet AND the retransmission, you are
upstream (closer to the sender) from the point of packet loss. If you only see the
retransmission, the original packet was already lost. The point of packet loss is downstream
(closer to the receiver) than where you are located.
Tip #5: Signatures
Always look at the payload of ICMP Echo Request (ping) packets to see if there is a signature
for the application running sending the ICMP Echo Request. In pingsigs.pcap we see the
alphabet-only-up-to-w signature used by MS Windows hosts and, in packet 9, we see the
Sniffer ping tool signature - which is a nod to it's creator, Cinco.
Tip #4: Accelerator Key
Use Ctrl+down arrow when you have selected a packet in the detail pane and want to scroll
through several packets while keeping the focus in the detail pane.
Tip #3: File Sets
In the Capture Options window, save to multiple files. Just open one of the files and now use
File > File Set > List Files to quickly move between them.
Tip #2: Splitting Trace Files
To split a large trace file into multiple files, use editcap -c [number of packets per
file] <infile> <outfile>. For example, editcap -c 10000 fattrace.pcap
smaller.pcap will split fattrace.pcap into trace files containing 10,000 packets (or fewer on the
last trace of the set) with names starting with smaller.pcap. The file number is appended as
-00000, -00001, -00002, etc. after the .pcap extension.
Tip #1: Capture Filter
Create a "Not Me" capture filter to ensure your own traffic isn't captured when analyzing other
device's traffic. Use the syntax not ether host 00:21:97:40:74:d2 (with your MAC
address, of course). Also consider making a "Just Me" capture filter to view only your traffic
when analyzing an application on your own system.
Tip #0: Free Wireshark Live Online Seminars
You like tips? Check online at www.chappellseminars.com to register for the free Wireshark
live online seminar.
Wireshark Weekly Tips
Email me when new tips are released each week!
Training and
Certification Prep
Certification Prep
Email me new Wireshark tips weekly
ACTION ITEMS
Follow Laura on Twitter
Follow Laura's Blog
Sign up: Wireshark Weekly Tips
Sign up: Wireshark U Newsletter
Follow Laura on Twitter
Follow Laura's Blog
Sign up: Wireshark Weekly Tips
Sign up: Wireshark U Newsletter
Study Guide
The Ultimate Wireshark Resource
Exam Prep Guide
Prepare for the WCNA Certification
Online Training Courses
Interactive Live Seminars and Q&A
On-Demand Courses
Training on Your Schedule
Classroom Courses
Instructor-Led Hands-On Training
The Ultimate Wireshark Resource
Exam Prep Guide
Prepare for the WCNA Certification
Online Training Courses
Interactive Live Seminars and Q&A
On-Demand Courses
Training on Your Schedule
Classroom Courses
Instructor-Led Hands-On Training
| Register for a free Wireshark Online Live Seminar Now |
Now Available:
Download Wireshark University
Tips 1-60 (PDF)
Download Wireshark University
Tips 1-60 (PDF)