Posted on 2016-10-27
Last Modified: 2016-10-30
I know Wireshark is an excellent tool for its purpose. As I am studying it, I have difficulty to figure out which type of problems is this tool designed to solve? In what scenario would I turn to Wireshark to start the trouble shooting?

[So far seems its designed to identify virus or overlook traffic for monitoring purposes]

Please help
Question by:Abraham Deutsch
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 100 total points
ID: 41862293
That's basically it.  It monitors and records network traffic on the computer it's running on.  Then you can examine the data to see what is being sent and received and determine if it is correct or not.

Assisted Solution

by:Rob Leaver
Rob Leaver earned 100 total points
ID: 41862344
You've pretty much stated its use, its to monitor or "sniff" network traffic.
LVL 35

Assisted Solution

Kimputer earned 100 total points
ID: 41862347
For clear text protocols (FTP, HTTP, SMTP) it could be handy (though happens less and less, as those protocols are now more and more encrypted).
Instead of digging through log files, you just fire up Wireshark, filter on the port, then start the FTP, HTTP or SMTP, and just read it back in Wireshark. Within no time, you'll have figured out why it didn't work (you can read the FTP/SMTP error code etc etc).
For DNS requests, it's also still useable (virusses usually do quite a lot of weird requests).
Rebuilding VOIP voice data is useful to hear the actually call quality (if you're not onsite, but have to work from remote).
Then there's the network stats for IP endpoints (to find the offending heavy downloader).
And for the things you sometimes cannot really solve but only observe with tears in your eyes are the ACK/RE-ACK/Resend/Retransmissions/Duplicatepackets issues between specific hosts. You can only see why the connection isn't working, but the solution might not be within your reach (routing/firewall issues).
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

LVL 25

Assisted Solution

Cyclops3590 earned 100 total points
ID: 41862436
when i did load balancing a lot, it came in handy for the following:

1) identify windowing/buffering issues.  meaning, you have a large download and it goes slower than you want.  it helps you identify how fast/much each side is sending, when the acks come thru for more data to be sent.  you can also see when buffers get overrun on receiving side in turn.  that was one case, the app was designed to take data off tcp buffer too slowly causing performance issue.  It was also good with respect to the windowing because you could tune it to better match the buffer settings to optimize throughput better.

2) identify if a server or client is adding to latency.  you can see in teh 3 way handshake how long it takes from receive to respond and you can tell if the client or server might have an app issue

3) You can see if there are performance issues due to "dirty" lines by looking at retransmissions.

4) You can drill into the data by reconstructing packets or filter very easily so that you can correlate all of the network traffic and where an issue might be arising.  For example, one use I did at my home was finding out that my IPv6 tunnel had dropped and hadn't established (it had been so solid I forgot about it).  So the capture showed me that dns was getting A and AAAA and trying IPv6 first before failing over to IPv4.

those are just a few of the items i used wireshark for most commonly.  you can think of it as a swiss army knife for analyzing traffic captures.  you don't have to actually sniff the traffic either.  so long as the data is in a format wireshark understands you can take captures from other places as well and analyze with wireshark in turn.
LVL 25

Assisted Solution

masnrock earned 100 total points
ID: 41862463
It's function is for monitoring network traffic. Now exactly HOW you use that data is where things can vary.

It might be for troubleshooting an issue with connection quality such as VoIP, you might be checking for a machine that is flooding the network, could even be for a computer that keeps dropping off the network at random intervals. Wireshark can provide a wide range of data, it's on you to determine which part of that data you want to filter for and analyze.
LVL 25

Accepted Solution

Cyclops3590 earned 100 total points
ID: 41862472
I'm going to disagree hopefully to provide clarity.  Wireshark's "monitoring" is merely a feature.  At its core it is a protocol analyzer.  That is what it is meant for.  The monitoring piece is just a way to collect the data so you can use it for what it was built for.  If it was meant for "monitoring" like ntop or other tools are then it wouldn't be such an optional feature to its function.

however, i'm thinking the difference here is semantics so I'm merely posting this so that clarity can be given as to what precisely wireshark is used for.

Author Closing Comment

by:Abraham Deutsch
ID: 41866046
Thank you all for clarify the functionality of wirkshark.

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
f5 Persistence 14 62
Site24x7 Monitoring tool 4 17
eigrp - not allow a subnet from advertising 1 58
Bandwidth issues? 5 42
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question