Posted on 2016-10-27
Last Modified: 2016-10-30
I know Wireshark is an excellent tool for its purpose. As I am studying it, I have difficulty to figure out which type of problems is this tool designed to solve? In what scenario would I turn to Wireshark to start the trouble shooting?

[So far seems its designed to identify virus or overlook traffic for monitoring purposes]

Please help
Question by:Abraham Deutsch
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 100 total points
ID: 41862293
That's basically it.  It monitors and records network traffic on the computer it's running on.  Then you can examine the data to see what is being sent and received and determine if it is correct or not.

Assisted Solution

by:Rob Leaver
Rob Leaver earned 100 total points
ID: 41862344
You've pretty much stated its use, its to monitor or "sniff" network traffic.
LVL 36

Assisted Solution

Kimputer earned 100 total points
ID: 41862347
For clear text protocols (FTP, HTTP, SMTP) it could be handy (though happens less and less, as those protocols are now more and more encrypted).
Instead of digging through log files, you just fire up Wireshark, filter on the port, then start the FTP, HTTP or SMTP, and just read it back in Wireshark. Within no time, you'll have figured out why it didn't work (you can read the FTP/SMTP error code etc etc).
For DNS requests, it's also still useable (virusses usually do quite a lot of weird requests).
Rebuilding VOIP voice data is useful to hear the actually call quality (if you're not onsite, but have to work from remote).
Then there's the network stats for IP endpoints (to find the offending heavy downloader).
And for the things you sometimes cannot really solve but only observe with tears in your eyes are the ACK/RE-ACK/Resend/Retransmissions/Duplicatepackets issues between specific hosts. You can only see why the connection isn't working, but the solution might not be within your reach (routing/firewall issues).
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

LVL 25

Assisted Solution

Cyclops3590 earned 100 total points
ID: 41862436
when i did load balancing a lot, it came in handy for the following:

1) identify windowing/buffering issues.  meaning, you have a large download and it goes slower than you want.  it helps you identify how fast/much each side is sending, when the acks come thru for more data to be sent.  you can also see when buffers get overrun on receiving side in turn.  that was one case, the app was designed to take data off tcp buffer too slowly causing performance issue.  It was also good with respect to the windowing because you could tune it to better match the buffer settings to optimize throughput better.

2) identify if a server or client is adding to latency.  you can see in teh 3 way handshake how long it takes from receive to respond and you can tell if the client or server might have an app issue

3) You can see if there are performance issues due to "dirty" lines by looking at retransmissions.

4) You can drill into the data by reconstructing packets or filter very easily so that you can correlate all of the network traffic and where an issue might be arising.  For example, one use I did at my home was finding out that my IPv6 tunnel had dropped and hadn't established (it had been so solid I forgot about it).  So the capture showed me that dns was getting A and AAAA and trying IPv6 first before failing over to IPv4.

those are just a few of the items i used wireshark for most commonly.  you can think of it as a swiss army knife for analyzing traffic captures.  you don't have to actually sniff the traffic either.  so long as the data is in a format wireshark understands you can take captures from other places as well and analyze with wireshark in turn.
LVL 29

Assisted Solution

masnrock earned 100 total points
ID: 41862463
It's function is for monitoring network traffic. Now exactly HOW you use that data is where things can vary.

It might be for troubleshooting an issue with connection quality such as VoIP, you might be checking for a machine that is flooding the network, could even be for a computer that keeps dropping off the network at random intervals. Wireshark can provide a wide range of data, it's on you to determine which part of that data you want to filter for and analyze.
LVL 25

Accepted Solution

Cyclops3590 earned 100 total points
ID: 41862472
I'm going to disagree hopefully to provide clarity.  Wireshark's "monitoring" is merely a feature.  At its core it is a protocol analyzer.  That is what it is meant for.  The monitoring piece is just a way to collect the data so you can use it for what it was built for.  If it was meant for "monitoring" like ntop or other tools are then it wouldn't be such an optional feature to its function.

however, i'm thinking the difference here is semantics so I'm merely posting this so that clarity can be given as to what precisely wireshark is used for.

Author Closing Comment

by:Abraham Deutsch
ID: 41866046
Thank you all for clarify the functionality of wirkshark.

Featured Post

Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question