• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 660
  • Last Modified:

Help analyzing Wireshark data

I am having some network issues and it was suggested that I run Wireshark.  It is running and flashing all over the place.  Can someone help me analyze what it's doing?  I'm quite lost.
0
hrolsons
Asked:
hrolsons
1 Solution
 
IanThCommented:
you have to filter the wireshark data to look for the specific protocol your investigating
0
 
hrolsonsAuthor Commented:
I selected my ethernet port and clicked Start.  Is that what you mean?
0
 
Darr247Commented:
Laura Chappell has a free 4-part Wireshark 101 tutorial series on her site at
https://www.lcuportal2.com/index.php?option=com_content&view=category&layout=blog&id=49&Itemid=75

Download the FLV files or watch them online there.
Note they're in reverse order in the file listing... I renamed them when downloading so they appear in the correct order when listed alphabetically.
e.g. Wireshark 101 FLV files
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
hrolsonsAuthor Commented:
I watched the videos and I still don't understand where to start.  On youtube most of the vids are for hacking passwords, which I have no interest in.  I wan't to find out why one computer in the office loses the connection to another computer in the office.
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Then I recommend to set the capture filter to at least
   host x.x.x.x or host y.y.y.y
and restrict the captured packet size to e.g. 64 or 128 bytes. That should give you enough bytes to properly analyze header info without storing much of the payload. Further, you should store the capture in splitted files ("Use multiple files", "Next file every" [minutes or bytes], "Ring buffer with" [provide enough files to allow for analysis of several hours]).

Analyzing a sporadic communication interruption is nothing you do easy handed. I would look for resends first.
0
 
hrolsonsAuthor Commented:
So, I set ip.src == 192.168.1.7 and everything looked happy and green and white with a very rare red line.  I then set it to ip.src == 192.168.1.6 and it is filled with red and black lines.  I will attach a screenshot.Wireshark screen
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
You know you only set the display filter, right? You are filtering what you see, not what is captured - which is ok if you wanted to do exactly that.
Don't care about that red stuff. You can see that the checksum is incorrect, which is quite common if the NIC drivers perform the calculation of checksums (called "offload").

If we subtract that, the capture does not show anything unusual.
0
 
hrolsonsAuthor Commented:
Yes, the lady in the video said to do display filters so that you can look deeper if you wish and the data will be there.
0
 
hrolsonsAuthor Commented:
There is definitely something going on because every now and then, like 5 times a day, I'll go to google.com and it says server not found.  So then I do a refresh and it's all good.  What should I look for in the feed for something like that?
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Good question. That could be
(a) DNS not resolving fast enough, so the DNS reply comes in after the browser gave up already
(b) A routing issue, so the HTTP request could not go out, or the reply not come back
(c) A timing issue, so the answer was received much too late
(d) IPv6 addresses might get preferred over IPv4, though you do not have any IPv6 route into the Internet. This will only apply if you have IPv6 bound to your NIC driver, which is the default with Vista and later.

I would start with a filter for DNS traffic (udp port 53) in addition to traffic to google.com (173.194.70.x/24). Note that DNS queries for google.com will return in 1 IPv6 and 6 IPv4 addresses usually.
0
 
hrolsonsAuthor Commented:
So I was capturing everything and it failed for amazon.com.  I immediately stopped the capture so I was hoping to see something at the end of the logs.  I set up a display filter of ip.proto == 17 but I'm not sure that is correct.

Can you help me write a display filter that might help to find what just happened?
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
First filter should be for DNS - to see if the address has been resolved. If it has, next filter is for the resolved IP address (from and to). Have a look into the display filter samples configured with WireShark for the syntax.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now