Wireshark in a nutshell,What is Wireshark and how can it help me?,Marco S. Zuppone & the precious review of Tim Lloyd,What is Wireshark?,Wireshark is a free open-source packet analyzer created by Gerald Combs and initially was named Ethereal. The name changed in Wireshark in 2006 for copyright reasons. Wireshark is very similar to tcpdump but has the advantage of a very good GUI that greatly improves and simplifies its usage. As with tcpdump Wireshark needs the libpcap library to be able to capture traffic. Under Windows this library is called WinPcap,What I need and how to get it,Wireshark is available on many platforms: Microsoft Windows: from Windows 2000* to Windows 2008 R2. It is available for x86 and x64 OS. Mac OS = Snow Leopard (10.5). Various Linux flavors and Unix: the source code is available. You can download it free at www.wireshark.org. The pre-compiled versions include the libpcap library that is installed if needed.,Why it can help me?,As you can easily spot LANDesk depends strongly on network communications to work and most of the problems you will face supporting it are due to network problems. “Yes but we have logs! Why I need another software?” It is true that you have logs but CAN YOU TRUST THEM? Packets never lie! Logs can be misleading or they do not capture the whole story: A simple IIS log can tell you that the client called vulcore.aspx but they are not telling you what the client really asked to the Web Service if you do not enable a specific log.,How to install it and where?,To install Wireshark on Windows and MacOS you need to be NNN Certified (Next - Next - Next). Where to install it? You need to install it on the device where you want to capture the traffic*. Sometimes choosing where you need to capture the traffic can be tricky and depends on the problem and the network configuration. If you suspect or know that between the client and the server there are some devices that can mangle the network communications (NAT/SNAT/Websense appliances, firewalls etc etc) you may need to capture the traffic in multiple places to find out where the problem is. Generally speaking capture the traffic closer to the problem.,The interface,The interface,The interface is consistent on all the supported platforms and there are only very small differences between the OSX, Unix and Windows version. Always keep and eye on the status bar. It always shows important information as: Expert info, profile used, packet field nameNow it is time to begin a capture: this can be done in a lot of ways!,How to start a capture,Starting a capture can be done in multiple ways. The most common are: Select an interface from the interface list: the capture begins immediately with the default option Click on the Interface List Click on the one of the two first icons of the ribbon,How to start a capture,Press Ctrl+E Use the Capture menu When you start a capture you can generally choose some options (except when you press CTRL+E or click directly on the interface: In these cases the capture starts immediately). The most important options you need to know in the option pane are: promiscuous mode, capture filter & enable network name resolution. CAVEAT: use the enable network name resolution option sparingly! This option will generate a lot of DNS requests and so DNS replies as well You may not want to generate this kind of traffic.,Promiscuous mode or not?,In Promiscuous Mode your network interface is going to receive all the traffic even if it is not directed specifically to it. Example: a device (IP 10.14.8.1) is trying to talk with another device (IP 10.14.8.2) on the same network segment. If you are in Promiscuous Mode you should be able to see the conversation even if it is not for you. There are many factors that may limit your visibility while you are in Promiscuous Mode such as network switches! If your switch is a proper one should direct the traffic from device A to device B to the switch ports where A and B are physically plugged in. There are some solutions to this problem: configure the switch to repeat all the traffic to a SPAN port, use an HUB to connect the devices (if you are still able to find one) or ask budget to buy an Aggregating Network TAP (I know! Im a dreamer!) If you are not in Promiscuous Mode you will be able to see all the traffic direct to you, broadcast and multicast traffic.,Capture filters,In some specific circumstances you need to limit the traffic that you want to capture and so you can use Capture filters. The use the BPF (Berkeley packet filter) syntax that is different from the Wireshark display filter syntax. In the version 1.6 of Wireshark two useful features about Capture filters were introduced: the Compile BPF button and the fact that the field where you define the rule changes color if the syntax in valid or not valid The compile button is useful to validate the rule a well. Use capture filter sparingly! What is not captured simply is not there anymore. There are not ways to get it back! Example: if you have a problem browsing internet you may be tempted to use a filter such this one: ip port 80 but what about HTTPS traffic? What about it the problem is a DNS issue or of the HTTP port used is not 80? CAVEAT: if a rule is syntactically valid this does not imply that the rule is logically meaningful! As analogy a lot of politicians make declaration without spelling or grammar errors but they are totally meaningless! Wireshark 1.6 is able to spot some of these meaningless expressions but not all of them,