Solved

Help analyzing Wireshark data

Posted on 2012-12-28
12
643 Views
Last Modified: 2013-01-28
I am having some network issues and it was suggested that I run Wireshark.  It is running and flashing all over the place.  Can someone help me analyze what it's doing?  I'm quite lost.
0
Comment
Question by:hrolsons
12 Comments
 
LVL 30

Expert Comment

by:IanTh
ID: 38727926
you have to filter the wireshark data to look for the specific protocol your investigating
0
 

Author Comment

by:hrolsons
ID: 38727967
I selected my ethernet port and clicked Start.  Is that what you mean?
0
 
LVL 44

Expert Comment

by:Darr247
ID: 38728290
Laura Chappell has a free 4-part Wireshark 101 tutorial series on her site at
https://www.lcuportal2.com/index.php?option=com_content&view=category&layout=blog&id=49&Itemid=75

Download the FLV files or watch them online there.
Note they're in reverse order in the file listing... I renamed them when downloading so they appear in the correct order when listed alphabetically.
e.g. Wireshark 101 FLV files
0
 

Author Comment

by:hrolsons
ID: 38738270
I watched the videos and I still don't understand where to start.  On youtube most of the vids are for hacking passwords, which I have no interest in.  I wan't to find out why one computer in the office loses the connection to another computer in the office.
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 38738317
Then I recommend to set the capture filter to at least
   host x.x.x.x or host y.y.y.y
and restrict the captured packet size to e.g. 64 or 128 bytes. That should give you enough bytes to properly analyze header info without storing much of the payload. Further, you should store the capture in splitted files ("Use multiple files", "Next file every" [minutes or bytes], "Ring buffer with" [provide enough files to allow for analysis of several hours]).

Analyzing a sporadic communication interruption is nothing you do easy handed. I would look for resends first.
0
 

Author Comment

by:hrolsons
ID: 38741175
So, I set ip.src == 192.168.1.7 and everything looked happy and green and white with a very rare red line.  I then set it to ip.src == 192.168.1.6 and it is filled with red and black lines.  I will attach a screenshot.Wireshark screen
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 68

Expert Comment

by:Qlemo
ID: 38741233
You know you only set the display filter, right? You are filtering what you see, not what is captured - which is ok if you wanted to do exactly that.
Don't care about that red stuff. You can see that the checksum is incorrect, which is quite common if the NIC drivers perform the calculation of checksums (called "offload").

If we subtract that, the capture does not show anything unusual.
0
 

Author Comment

by:hrolsons
ID: 38741259
Yes, the lady in the video said to do display filters so that you can look deeper if you wish and the data will be there.
0
 

Author Comment

by:hrolsons
ID: 38741607
There is definitely something going on because every now and then, like 5 times a day, I'll go to google.com and it says server not found.  So then I do a refresh and it's all good.  What should I look for in the feed for something like that?
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 38742244
Good question. That could be
(a) DNS not resolving fast enough, so the DNS reply comes in after the browser gave up already
(b) A routing issue, so the HTTP request could not go out, or the reply not come back
(c) A timing issue, so the answer was received much too late
(d) IPv6 addresses might get preferred over IPv4, though you do not have any IPv6 route into the Internet. This will only apply if you have IPv6 bound to your NIC driver, which is the default with Vista and later.

I would start with a filter for DNS traffic (udp port 53) in addition to traffic to google.com (173.194.70.x/24). Note that DNS queries for google.com will return in 1 IPv6 and 6 IPv4 addresses usually.
0
 

Author Comment

by:hrolsons
ID: 38744778
So I was capturing everything and it failed for amazon.com.  I immediately stopped the capture so I was hoping to see something at the end of the logs.  I set up a display filter of ip.proto == 17 but I'm not sure that is correct.

Can you help me write a display filter that might help to find what just happened?
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 38772813
First filter should be for DNS - to see if the address has been resolved. If it has, next filter is for the resolved IP address (from and to). Have a look into the display filter samples configured with WireShark for the syntax.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now