Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Help analyzing Wireshark data

Posted on 2012-12-28
12
Medium Priority
?
653 Views
Last Modified: 2013-01-28
I am having some network issues and it was suggested that I run Wireshark.  It is running and flashing all over the place.  Can someone help me analyze what it's doing?  I'm quite lost.
0
Comment
Question by:hrolsons
12 Comments
 
LVL 30

Expert Comment

by:IanTh
ID: 38727926
you have to filter the wireshark data to look for the specific protocol your investigating
0
 

Author Comment

by:hrolsons
ID: 38727967
I selected my ethernet port and clicked Start.  Is that what you mean?
0
 
LVL 44

Expert Comment

by:Darr247
ID: 38728290
Laura Chappell has a free 4-part Wireshark 101 tutorial series on her site at
https://www.lcuportal2.com/index.php?option=com_content&view=category&layout=blog&id=49&Itemid=75

Download the FLV files or watch them online there.
Note they're in reverse order in the file listing... I renamed them when downloading so they appear in the correct order when listed alphabetically.
e.g. Wireshark 101 FLV files
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:hrolsons
ID: 38738270
I watched the videos and I still don't understand where to start.  On youtube most of the vids are for hacking passwords, which I have no interest in.  I wan't to find out why one computer in the office loses the connection to another computer in the office.
0
 
LVL 72

Accepted Solution

by:
Qlemo earned 2000 total points
ID: 38738317
Then I recommend to set the capture filter to at least
   host x.x.x.x or host y.y.y.y
and restrict the captured packet size to e.g. 64 or 128 bytes. That should give you enough bytes to properly analyze header info without storing much of the payload. Further, you should store the capture in splitted files ("Use multiple files", "Next file every" [minutes or bytes], "Ring buffer with" [provide enough files to allow for analysis of several hours]).

Analyzing a sporadic communication interruption is nothing you do easy handed. I would look for resends first.
0
 

Author Comment

by:hrolsons
ID: 38741175
So, I set ip.src == 192.168.1.7 and everything looked happy and green and white with a very rare red line.  I then set it to ip.src == 192.168.1.6 and it is filled with red and black lines.  I will attach a screenshot.Wireshark screen
0
 
LVL 72

Expert Comment

by:Qlemo
ID: 38741233
You know you only set the display filter, right? You are filtering what you see, not what is captured - which is ok if you wanted to do exactly that.
Don't care about that red stuff. You can see that the checksum is incorrect, which is quite common if the NIC drivers perform the calculation of checksums (called "offload").

If we subtract that, the capture does not show anything unusual.
0
 

Author Comment

by:hrolsons
ID: 38741259
Yes, the lady in the video said to do display filters so that you can look deeper if you wish and the data will be there.
0
 

Author Comment

by:hrolsons
ID: 38741607
There is definitely something going on because every now and then, like 5 times a day, I'll go to google.com and it says server not found.  So then I do a refresh and it's all good.  What should I look for in the feed for something like that?
0
 
LVL 72

Expert Comment

by:Qlemo
ID: 38742244
Good question. That could be
(a) DNS not resolving fast enough, so the DNS reply comes in after the browser gave up already
(b) A routing issue, so the HTTP request could not go out, or the reply not come back
(c) A timing issue, so the answer was received much too late
(d) IPv6 addresses might get preferred over IPv4, though you do not have any IPv6 route into the Internet. This will only apply if you have IPv6 bound to your NIC driver, which is the default with Vista and later.

I would start with a filter for DNS traffic (udp port 53) in addition to traffic to google.com (173.194.70.x/24). Note that DNS queries for google.com will return in 1 IPv6 and 6 IPv4 addresses usually.
0
 

Author Comment

by:hrolsons
ID: 38744778
So I was capturing everything and it failed for amazon.com.  I immediately stopped the capture so I was hoping to see something at the end of the logs.  I set up a display filter of ip.proto == 17 but I'm not sure that is correct.

Can you help me write a display filter that might help to find what just happened?
0
 
LVL 72

Expert Comment

by:Qlemo
ID: 38772813
First filter should be for DNS - to see if the address has been resolved. If it has, next filter is for the resolved IP address (from and to). Have a look into the display filter samples configured with WireShark for the syntax.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Measuring Server's processing rate with a simple powershell command. The differences in processing rate also was recorded in different use-cases, when a server in free and busy states.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question