 | |  | |  | |  | |  | |  |
All rights reserved. Protocol Analysis Institute, Inc. Privacy Contact Us
Tip #40: Access Protocol Preferences FAST
There are lots of protocol preferences you may want to change. Consider these:
TCP: Relative Sequence Numbers and Window Scaling (on/off)
TCP: Track Number of Bytes in Flight
IP: Reassemble Fragmented IP Datagrams (on/off)
HTTP: TCP Ports
You don't need to select the Preferences button or even Edit | Preferences to view and change
these settings fast. In the Packet Detail window simply right click on the protocol or application
layer you are interested in and highlight Protocol Preferences. The list of available settings
appears!
Tip #39: Colorize WLAN Retries
Besides TCP retransmissions, you need to look for issues in the WLAN environment that
cause retries. To find out if any of your WLAN traffic is a retry, create a color filter for all traffic that
matches the wlan.fc.retry == 1 filter.
Tip #38: Watch the Wireshark Waterfall
If you are interested in knowing how the Wireshark development process is running you can
watch the Waterfall view of the development process. Visit
http://buildbot.wireshark.org/trunk/waterfall. You'll see the 6 slaves working away making new
development versions of Wireshark. The color-coding indicates if the build was successful
(green), failed (red), has warnings (orange) or is in progress (yellow). At the time I'm writing
this, the second slave (which is building the Windows-7-x64 version of Wireshark) was lost so
the build failed. This is cool to watch.
Tip #37: Test Your Adapter
One of the videos over at "Coffee and a Quickie" focuses on testing your adapter before
capturing. Of particular interest is the issue of WLAN cards that can't go into promiscuous
mode - if you get an error indicating the adapter can't run in promiscuous mode, disable
promiscuous mode in the Capture Options window. You can only analyze traffic to/from your
host or broadcast/multicast addresses, but at least it's something!
Tip #36: Download Pre-Made Profiles
At www.wiresharkbook.com you can download a set of pre-made profiles and numerous trace
files. These files accompany the new Wireshark Network Analysis book that is widely
becoming available on Amazon (you can also get it here), The book website also includes a
"Coffee and a Quickie" section with six short videos to walk you through adapter testing,
catching the first set of packets, and now - setting up profiles using predefined elements.
Watch the video for step-by-step instructions on using a pre-made coloring rule set in your own
profiles.
Tip #35: Color Your WLAN Traffic
In the "Introduction to WLAN Analysis" chapter of Wireshark Network Analysis, I introduced one
of my favorite filter sets - for WLAN traffic - fitering based on the frequency of WLAN traffic. For
example, here are six coloring filter examples:
.
Tip #34: Running Multiple Versions of Wireshark
During last week's online training course, I had two versions of Wireshark running
side-by-side. On the left was the 1.2.6 release version and on the right was the 1.3.3
development version. This allowed me to demonstration numerous features that had changed
and will be coming with version 1.4. To install multiple versions of Wireshark, go through the
standard installation process on the second version, but make sure you just place it in a
different directory. You don't need to reinstall any interface drivers (unless they are out of date).
Tip #33: Change Those Defaults!
When I look at someone's Wireshark configurations, I always recommend they change the
default settings for both the "Filter display max list entries" and "Open Recent max list entries"
in Edit | Preferences | User Interface. Why only see the last 10 items when you can easily view
the last 30 items? I'm always re-opening trace files and accessing previously created display
filters that I didn't save. Make this change today and work more efficiently!
Tip #32: Compare Traffic in a Single Summary Window
You can compare one conversation to another in a single summary. Open a trace with multiple
conversations in it. Filter on one conversation and select Edit | Mark all packets. Clear your filter.
Now filter on another conversation. Now select Statistics | Summary and you should see three
columns - all traffic, the marked traffic (conversation #1) and filtered traffic (conversation #2).
Tip #31: Graph Ugly Traffic - Fast!
One of my favorite filters is tcp.analysis.flags. All those ugly TCP problems (retransmissions,
duplicate ACKs, lost packets, etc.) jump out at you. Did you know you could plot these
instances in an IO graph? It's simple - just start a capture and open Statistics | IO Graphs and
enter tcp.analysis.flags in the filter area for the red graph. I recommend you try the Fbar format
for this item. You'll end up with a nice graph showing when TCP issues rise and fall on the
network.
Tip #30: Set up GeoIP to Map IP Addresses
Before you can take advantage of this feature, you need to ensure your version of Wireshark
supports GeoIP (Help > About Wireshark - do you see "with GeoIP?"). The GeoIP database
files are free from MaxMind (www.maxmind.com/app/ip-location - grab the Free/Open Source
files. Point to the MaxMind files in Preferences > Name Resolution > GeoIP database
directories. Want to watch a video of the setup and use of GeoIP? Check this out!
Tip #29: Keeping up with Wireshark
At 5:34pm PST, the Tweet screamed" Wireshark 1.2.4 is out. Enjoy" Another update so fast?
Yup. Two ugly bugs are fixed in this rev - 4120: Can't save RTP streams in both directions and
4155: Wireshark could crash on startup on Windows. How do you keep up with releases?
Follow geraldcombs on twitter or subscribe to the Wireshark Announcements list at
www.wireshark.org/lists/.
Tip #28: Gerald's Launch Tips
The Wireshark website was revised recently - you can catch Gerald Comb's video on Custom
Wireshark Shortcuts here. Also note that typing wireshark -h at the command line lists other
available options for quick launch.
Tip #27: File Sets and Editcap - Yeah Baby!
Creating and using file sets allows you to capture large amounts of traffic and maneuver
quickly from one portion to another (set this up in the Capture Options). In previous versions of
Wireshark you could use editcap to split a large trace into multiple smaller trace files using th
e-c parameter, but the new files were not part of a file set - they had to be opened and treated
as separate files. Now using editcap v1.2.3, you can split a file and make it into multiple files
that can be handled opened as a file set (File > File Set) - VERY NICE!
Tip #26: Wireshark on Windows 7
On October 26th, Wireshark v1.2.3 released. Although this version addressed numerous bug
fixes, the big change is the support for Windows 7 with the updated WinPcap version 4.1.1
which released separately at www.winpcap.org on October 20th (the previous version of
WinPcap - version 4.1 came out on October 19th but had some installer bugs that were fixed in
the next-day release version 4.1.1). This version of Wireshark+WinPcap also supports Vista,
Server 2008, and Server 2008 R2. Get the latest version at www.wireshark.org/download.
Tip #25: WLAN Decryption Modes
When decrypting WLAN traffic using an AirPcap adapter with Wireshark, define the Decryption
Mode as Wireshark, not Driver. In Driver Mode you can only decrypt WEP traffic (with the
decryption keys defined). In Wireshark Mode you can decrypt WEP, WPA-PWD and WPA-PSK. In
WPA-PWD mode uses the password and the SSID to create a raw pre-sharked key
(WPA-PSK). In WPA-PSK mode, they key is parsed as a raw pre-shared key - you can create
your own raw key using Wireshark's WPA PSK Generator at www.wireshark.org/tools/wpa-psk.
Tip #24: Removing Duplicate Packets
Use editcap to remove duplicate packets in a trace file. There are three parameters for
duplicate removal. For example, if your trace file is called dupes.pcap, run the command
editcap -d dupes.pcap nodupes.pcap. The -d parameter uses a duplicate window size of 5
which means editcap compares the MD5 checksum of each packet to the 4 packets preceding
it. You can increase the window size using -D # where # indicates the number of preceding
packets to check against each packet. You can also use the -w parameter to specify a widow in
time (seconds).
Tip #23: Link Aggregation
Got a server with two NICS and need to tap in to capture traffic on both interfaces? In this case
you might be interested in a link aggregator. A link aggregator allows you to connect multiple
links into the tap - this is a different technology than "aggregating tap" technology. Aggregating
tap technology combines full-duplex traffic into a single outbound stream so you can listen in
with one device.
Tip #22: Finding RTP
If you are analyzing VoIP communications and you pick up only RTP (Realtime Transport
Protocol) traffic, but not the SIP traffic that set up the call, Wireshark may just dump you at UDP
and not apply the RTP dissector to the traffic. No worries. Just right click on one of those UDP
packets and select Decode As. Under the Transport tab you will see the ports in use by the
RTP communications. To the right, scroll down to select RTP and click OK.
See www.chappellseminars.com this week for more information on VoIP analysis and the
Summit 09 event. UPDATE BY BILL DEWEESE: Another option is to enable the RTP preference
"Try to decode RTP outside of conversations!"
Tip #21: Use Wireshark Expressions
If you want to build a filter, but you don't know the field name and have no packet to use as an
example, click on the Expression button (to the right of the Display Filter area). In the
Expression window you can expand protocols and applications to build filters using relations
such as "is present", ==, !=, "contains" or "matches."
There are lots of protocol preferences you may want to change. Consider these:
TCP: Relative Sequence Numbers and Window Scaling (on/off)
TCP: Track Number of Bytes in Flight
IP: Reassemble Fragmented IP Datagrams (on/off)
HTTP: TCP Ports
You don't need to select the Preferences button or even Edit | Preferences to view and change
these settings fast. In the Packet Detail window simply right click on the protocol or application
layer you are interested in and highlight Protocol Preferences. The list of available settings
appears!
Tip #39: Colorize WLAN Retries
Besides TCP retransmissions, you need to look for issues in the WLAN environment that
cause retries. To find out if any of your WLAN traffic is a retry, create a color filter for all traffic that
matches the wlan.fc.retry == 1 filter.
Tip #38: Watch the Wireshark Waterfall
If you are interested in knowing how the Wireshark development process is running you can
watch the Waterfall view of the development process. Visit
http://buildbot.wireshark.org/trunk/waterfall. You'll see the 6 slaves working away making new
development versions of Wireshark. The color-coding indicates if the build was successful
(green), failed (red), has warnings (orange) or is in progress (yellow). At the time I'm writing
this, the second slave (which is building the Windows-7-x64 version of Wireshark) was lost so
the build failed. This is cool to watch.
Tip #37: Test Your Adapter
One of the videos over at "Coffee and a Quickie" focuses on testing your adapter before
capturing. Of particular interest is the issue of WLAN cards that can't go into promiscuous
mode - if you get an error indicating the adapter can't run in promiscuous mode, disable
promiscuous mode in the Capture Options window. You can only analyze traffic to/from your
host or broadcast/multicast addresses, but at least it's something!
Tip #36: Download Pre-Made Profiles
At www.wiresharkbook.com you can download a set of pre-made profiles and numerous trace
files. These files accompany the new Wireshark Network Analysis book that is widely
becoming available on Amazon (you can also get it here), The book website also includes a
"Coffee and a Quickie" section with six short videos to walk you through adapter testing,
catching the first set of packets, and now - setting up profiles using predefined elements.
Watch the video for step-by-step instructions on using a pre-made coloring rule set in your own
profiles.
Tip #35: Color Your WLAN Traffic
In the "Introduction to WLAN Analysis" chapter of Wireshark Network Analysis, I introduced one
of my favorite filter sets - for WLAN traffic - fitering based on the frequency of WLAN traffic. For
example, here are six coloring filter examples:
.
Tip #34: Running Multiple Versions of Wireshark
During last week's online training course, I had two versions of Wireshark running
side-by-side. On the left was the 1.2.6 release version and on the right was the 1.3.3
development version. This allowed me to demonstration numerous features that had changed
and will be coming with version 1.4. To install multiple versions of Wireshark, go through the
standard installation process on the second version, but make sure you just place it in a
different directory. You don't need to reinstall any interface drivers (unless they are out of date).
Tip #33: Change Those Defaults!
When I look at someone's Wireshark configurations, I always recommend they change the
default settings for both the "Filter display max list entries" and "Open Recent max list entries"
in Edit | Preferences | User Interface. Why only see the last 10 items when you can easily view
the last 30 items? I'm always re-opening trace files and accessing previously created display
filters that I didn't save. Make this change today and work more efficiently!
Tip #32: Compare Traffic in a Single Summary Window
You can compare one conversation to another in a single summary. Open a trace with multiple
conversations in it. Filter on one conversation and select Edit | Mark all packets. Clear your filter.
Now filter on another conversation. Now select Statistics | Summary and you should see three
columns - all traffic, the marked traffic (conversation #1) and filtered traffic (conversation #2).
Tip #31: Graph Ugly Traffic - Fast!
One of my favorite filters is tcp.analysis.flags. All those ugly TCP problems (retransmissions,
duplicate ACKs, lost packets, etc.) jump out at you. Did you know you could plot these
instances in an IO graph? It's simple - just start a capture and open Statistics | IO Graphs and
enter tcp.analysis.flags in the filter area for the red graph. I recommend you try the Fbar format
for this item. You'll end up with a nice graph showing when TCP issues rise and fall on the
network.
Tip #30: Set up GeoIP to Map IP Addresses
Before you can take advantage of this feature, you need to ensure your version of Wireshark
supports GeoIP (Help > About Wireshark - do you see "with GeoIP?"). The GeoIP database
files are free from MaxMind (www.maxmind.com/app/ip-location - grab the Free/Open Source
files. Point to the MaxMind files in Preferences > Name Resolution > GeoIP database
directories. Want to watch a video of the setup and use of GeoIP? Check this out!
Tip #29: Keeping up with Wireshark
At 5:34pm PST, the Tweet screamed" Wireshark 1.2.4 is out. Enjoy" Another update so fast?
Yup. Two ugly bugs are fixed in this rev - 4120: Can't save RTP streams in both directions and
4155: Wireshark could crash on startup on Windows. How do you keep up with releases?
Follow geraldcombs on twitter or subscribe to the Wireshark Announcements list at
www.wireshark.org/lists/.
Tip #28: Gerald's Launch Tips
The Wireshark website was revised recently - you can catch Gerald Comb's video on Custom
Wireshark Shortcuts here. Also note that typing wireshark -h at the command line lists other
available options for quick launch.
Tip #27: File Sets and Editcap - Yeah Baby!
Creating and using file sets allows you to capture large amounts of traffic and maneuver
quickly from one portion to another (set this up in the Capture Options). In previous versions of
Wireshark you could use editcap to split a large trace into multiple smaller trace files using th
e-c parameter, but the new files were not part of a file set - they had to be opened and treated
as separate files. Now using editcap v1.2.3, you can split a file and make it into multiple files
that can be handled opened as a file set (File > File Set) - VERY NICE!
Tip #26: Wireshark on Windows 7
On October 26th, Wireshark v1.2.3 released. Although this version addressed numerous bug
fixes, the big change is the support for Windows 7 with the updated WinPcap version 4.1.1
which released separately at www.winpcap.org on October 20th (the previous version of
WinPcap - version 4.1 came out on October 19th but had some installer bugs that were fixed in
the next-day release version 4.1.1). This version of Wireshark+WinPcap also supports Vista,
Server 2008, and Server 2008 R2. Get the latest version at www.wireshark.org/download.
Tip #25: WLAN Decryption Modes
When decrypting WLAN traffic using an AirPcap adapter with Wireshark, define the Decryption
Mode as Wireshark, not Driver. In Driver Mode you can only decrypt WEP traffic (with the
decryption keys defined). In Wireshark Mode you can decrypt WEP, WPA-PWD and WPA-PSK. In
WPA-PWD mode uses the password and the SSID to create a raw pre-sharked key
(WPA-PSK). In WPA-PSK mode, they key is parsed as a raw pre-shared key - you can create
your own raw key using Wireshark's WPA PSK Generator at www.wireshark.org/tools/wpa-psk.
Tip #24: Removing Duplicate Packets
Use editcap to remove duplicate packets in a trace file. There are three parameters for
duplicate removal. For example, if your trace file is called dupes.pcap, run the command
editcap -d dupes.pcap nodupes.pcap. The -d parameter uses a duplicate window size of 5
which means editcap compares the MD5 checksum of each packet to the 4 packets preceding
it. You can increase the window size using -D # where # indicates the number of preceding
packets to check against each packet. You can also use the -w parameter to specify a widow in
time (seconds).
Tip #23: Link Aggregation
Got a server with two NICS and need to tap in to capture traffic on both interfaces? In this case
you might be interested in a link aggregator. A link aggregator allows you to connect multiple
links into the tap - this is a different technology than "aggregating tap" technology. Aggregating
tap technology combines full-duplex traffic into a single outbound stream so you can listen in
with one device.
Tip #22: Finding RTP
If you are analyzing VoIP communications and you pick up only RTP (Realtime Transport
Protocol) traffic, but not the SIP traffic that set up the call, Wireshark may just dump you at UDP
and not apply the RTP dissector to the traffic. No worries. Just right click on one of those UDP
packets and select Decode As. Under the Transport tab you will see the ports in use by the
RTP communications. To the right, scroll down to select RTP and click OK.
See www.chappellseminars.com this week for more information on VoIP analysis and the
Summit 09 event. UPDATE BY BILL DEWEESE: Another option is to enable the RTP preference
"Try to decode RTP outside of conversations!"
Tip #21: Use Wireshark Expressions
If you want to build a filter, but you don't know the field name and have no packet to use as an
example, click on the Expression button (to the right of the Display Filter area). In the
Expression window you can expand protocols and applications to build filters using relations
such as "is present", ==, !=, "contains" or "matches."
Wireshark Weekly Tips
Email me when new tips are released each week!
Download Tips 1-60 (PDF)
Training and
Certification Prep
Certification Prep
Email me new Wireshark tips weekly
ACTION ITEMS
Follow Laura on Twitter
Follow Laura's Blog
Sign up: Wireshark Weekly Tips
Sign up: Wireshark U Newsletter
Follow Laura on Twitter
Follow Laura's Blog
Sign up: Wireshark Weekly Tips
Sign up: Wireshark U Newsletter
Study Guide
The Ultimate Wireshark Resource
Exam Prep Guide
Prepare for the WCNA Certification
Online Training Courses
Interactive Live Seminars and Q&A
On-Demand Courses
Training on Your Schedule
Classroom Courses
Instructor-Led Hands-On Training
The Ultimate Wireshark Resource
Exam Prep Guide
Prepare for the WCNA Certification
Online Training Courses
Interactive Live Seminars and Q&A
On-Demand Courses
Training on Your Schedule
Classroom Courses
Instructor-Led Hands-On Training
| Register for a free Wireshark Online Live Seminar Now |