Network Troubleshoot Using Packet Sniffer Wireshark

8968
 

We can also convert MAC address to names of devices as shown in Fig. 5. To see the MAC address, click to turn off Name resolution checkbox at the bottom of the window. You can also see your devices according to the IP address by clicking on IPV4 tab. UDP packets can also be checked.

fig 572
Fig. 5: Endpoints display window in Wireshark

3. You can also right-click on Title bar of data and change column properties by clicking Column Preferences, according to your need, as shown in Fig. 6.

Fig. 6: Setting Column Preferences in Wireshark

4. In Wireshark, we can filter out only the required data from the pool of data using filters, namely, Capture and Display.

Capture filter is important if you know exactly what kind of data you want. It restricts the basic capturing of non-required packets. Here, we do not have other pool of packets and we capture only the packets that fulfill the filter criteria.

To set capture filter, click CaptureInterfacesOptions and set the one that you wish to have. We can also use OR and AND like operators for multiple filter options like ‘tcp OR udp’ as shown in Fig. 7.

Fig. 7: Capture filter in Wireshark

5. Display filters are used if after sending and capturing a trace, you need to filter out packets based on some conditions (say, protocols or port numbers). For example, we can give ‘!tcp.port eq 80’ to see non-Web data only. We can even run a display filter while taking a trace we can also set the filter as ‘tcp.port eq 80’ as shown in Fig. 8.

Fig. 8: Display filter in Wireshark

6. You can save the packets captured simultaneously in various files. Click CaptureInterfacesOptions. In Capture File section, specify file name and location. Click on multiple files if you wish to save data captured over a large number of files. You can also initiate to save in the next file according to size or time.

Ring Buffer option is used to overwrite existing files. Say, you give 24 in Ring Buffer section. Now after 24 files are created, it will overwrite the previous files.

7. You can use the telephony features for capturing and monitoring. Click TelephonyRTPShow all Streams. Using this you can monitor every RTP conversation (audio call) within the packet trace.

8. I/O graphs window (Fig. 9) can also be used to see the captured network packets in a graphical format. Click StatisticsI/O graphs. For example, you can plot a graph for a certain device with a particular IP address, ip.addr==192.168.1.1. Multiple filters can be put and their corresponding I/O graphs can be studied simultaneously in the same plane.

Fig. 9: I/O graphs in Wireshark

In I/O graphs, x-axis denotes time that has passed since capturing of the packet. Y-axis denotes the number of packets captured per unit time. This unit time can be selected using Tick interval on the left-hand side of the screen.

If you click on the graph, Wireshark window will move in the background to the corresponding data. The graph can be saved as .png, .jpeg and other formats by clicking Save.

Similarly, we can use Wireshark in a number of ways to study communication data and draw important conclusions.

What Wireshark is not

Wireshark is not an intrusion-detection system. It will not warn you when someone does strange things on your network that he/she is not allowed to do. However, if strange things happen, Wireshark might help you figure out what really is going on. It is like a monitoring device.

Wireshark will not manipulate things on the network; it will only measure things from it. It does not send packets on the network or do other active things.

EFY notes. 1. Working with a busy network can easily produce huge memory and disk space usage. So you need a machine with a fast processor, large memory and disk space. If Wireshark runs out of memory, it will crash. For silent installation and working, go for the command-line version.

2. With Wireshark, it is easy to troubleshoot the devices and make these work in a much better way.


Akshay Kumar is a B.Tech (engineering physics) student at Delhi Technological University, New Delhi
Joby Antony is masters in computer technology from the USA, and is currently working as engineer-F at Nuclear Inter-University Accelerator Centre (IUAC), New Delhi

SHARE YOUR THOUGHTS & COMMENTS

Please enter your comment!
Please enter your name here