Solved

Help analyzing Wireshark data

Posted on 2012-12-28
12
649 Views
Last Modified: 2013-01-28
I am having some network issues and it was suggested that I run Wireshark.  It is running and flashing all over the place.  Can someone help me analyze what it's doing?  I'm quite lost.
0
Comment
Question by:hrolsons
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 
LVL 30

Expert Comment

by:IanTh
ID: 38727926
you have to filter the wireshark data to look for the specific protocol your investigating
0
 

Author Comment

by:hrolsons
ID: 38727967
I selected my ethernet port and clicked Start.  Is that what you mean?
0
 
LVL 44

Expert Comment

by:Darr247
ID: 38728290
Laura Chappell has a free 4-part Wireshark 101 tutorial series on her site at
https://www.lcuportal2.com/index.php?option=com_content&view=category&layout=blog&id=49&Itemid=75

Download the FLV files or watch them online there.
Note they're in reverse order in the file listing... I renamed them when downloading so they appear in the correct order when listed alphabetically.
e.g. Wireshark 101 FLV files
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:hrolsons
ID: 38738270
I watched the videos and I still don't understand where to start.  On youtube most of the vids are for hacking passwords, which I have no interest in.  I wan't to find out why one computer in the office loses the connection to another computer in the office.
0
 
LVL 70

Accepted Solution

by:
Qlemo earned 500 total points
ID: 38738317
Then I recommend to set the capture filter to at least
   host x.x.x.x or host y.y.y.y
and restrict the captured packet size to e.g. 64 or 128 bytes. That should give you enough bytes to properly analyze header info without storing much of the payload. Further, you should store the capture in splitted files ("Use multiple files", "Next file every" [minutes or bytes], "Ring buffer with" [provide enough files to allow for analysis of several hours]).

Analyzing a sporadic communication interruption is nothing you do easy handed. I would look for resends first.
0
 

Author Comment

by:hrolsons
ID: 38741175
So, I set ip.src == 192.168.1.7 and everything looked happy and green and white with a very rare red line.  I then set it to ip.src == 192.168.1.6 and it is filled with red and black lines.  I will attach a screenshot.Wireshark screen
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 38741233
You know you only set the display filter, right? You are filtering what you see, not what is captured - which is ok if you wanted to do exactly that.
Don't care about that red stuff. You can see that the checksum is incorrect, which is quite common if the NIC drivers perform the calculation of checksums (called "offload").

If we subtract that, the capture does not show anything unusual.
0
 

Author Comment

by:hrolsons
ID: 38741259
Yes, the lady in the video said to do display filters so that you can look deeper if you wish and the data will be there.
0
 

Author Comment

by:hrolsons
ID: 38741607
There is definitely something going on because every now and then, like 5 times a day, I'll go to google.com and it says server not found.  So then I do a refresh and it's all good.  What should I look for in the feed for something like that?
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 38742244
Good question. That could be
(a) DNS not resolving fast enough, so the DNS reply comes in after the browser gave up already
(b) A routing issue, so the HTTP request could not go out, or the reply not come back
(c) A timing issue, so the answer was received much too late
(d) IPv6 addresses might get preferred over IPv4, though you do not have any IPv6 route into the Internet. This will only apply if you have IPv6 bound to your NIC driver, which is the default with Vista and later.

I would start with a filter for DNS traffic (udp port 53) in addition to traffic to google.com (173.194.70.x/24). Note that DNS queries for google.com will return in 1 IPv6 and 6 IPv4 addresses usually.
0
 

Author Comment

by:hrolsons
ID: 38744778
So I was capturing everything and it failed for amazon.com.  I immediately stopped the capture so I was hoping to see something at the end of the logs.  I set up a display filter of ip.proto == 17 but I'm not sure that is correct.

Can you help me write a display filter that might help to find what just happened?
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 38772813
First filter should be for DNS - to see if the address has been resolved. If it has, next filter is for the resolved IP address (from and to). Have a look into the display filter samples configured with WireShark for the syntax.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question