How to use Wireshark to diagnose network problems

Wireshark is distributed as a free open source packet analyzer. The utility provides a detailed report on the traffic flowing through your Network Interface Card (NIC), and may be used in benchmarking network performance and troubleshooting network issues. Here are some tips and best practices, describing how.

First Steps

If you haven’t done so already, the first thing you’ll need to do is install Wireshark on your testing system. The setup program can be obtained from the Download section of the Wireshark website.

 

Wireshark is designed to capture and log the activity on your network in real time, so that you can sort through and analyze the results in your own time. To get the most out of this utility, you’ll need to plan ahead a little – mostly to determine what it is that you actually want to monitor.

 

If you just need to isolate and check up on local conditions, plugging the system on which Wireshark is installed into the relevant switch port will enable you take readings on the hardware addresses associated with that port, broadcast/multicast traffic, and traffic passing to and from the system between ports.

 

You should use port mirroring, if you wish to examine traffic on an Ethernet port other than the one your Wireshark system is plugged into.

Capturing Interfaces

Once you’re clear on what you hope to achieve with the software, you can begin capturing network traffic by choosing Capture, then Options. The Options menu enables you to specify the length of time that Wireshark should run for, or the amount of data it should capture before it stops.

 

Select the interface you want, then click Start. Once you’ve clicked Start, you’ll see network traffic movements in real time – and be able to stop Wireshark from running manually, if you haven’t configured an automatic stop. As you gain a clearer idea of the specific types of traffic you want to monitor, you can use the Filters feature to exclude certain types of traffic, or include specific kinds of packets.

 

Wireshark produces a log, in which each individual line represents one packet that was exchanged. Individual packets may be selected to get a drill down and deeper analysis of its contents.

Memory Allowance

It’s important to realize that Wireshark captures its information to memory, which may cause the program to hang if it’s run for a considerable length of time, or when overall system memory is low. Wireshark’s own documentation specifies that capturing interfaces on a fully saturated 100 Mbit/s Ethernet will produce around 750 MB of data per minute – a rule of thumb worth remembering in relation to your own system’s specifications and available resources.

Typical Use Cases

Wireshark may be used to diagnose and troubleshoot a number of network problems and issues. These include:

 

· Slow or under-performing web servers

 

· The analysis of HTTP traffic

 

· Gaining visibility into commands and parameters, HTTP headers, and requests to servers

 

· Viewing and analyzing responses to the client from the server, including HTTP headers, commands and the HTML that’s returned

A Sample Analysis

This article from Perforce.com walks you through a typical Wireshark analysis aimed at isolating the causes for a slow-performing network. It includes configuration instructions for both Windows and Linux installations of the software. The main points to note are:

 

1. You can configure the type of network interface to analyze, using the Expression option next to Filter.

 

2. Use Capture, Interfaces to choose the network interface that’s exhibiting problems, then click Start.

 

3. Launch the application or process you wish to analyze.

 

4. Select Capture, Stop when you have completed your analysis.

 

5. Use File, Save as to create an analysis file in the specified format.

Interpreting The Results

With the multitude of options it has to offer, it’s easy to get lost in the output from a Wireshark analysis. If you’re looking to diagnose a network problem, the key thing is to isolate the source of the problem traffic. The Statistics, Conversations option of the Wireshark output menu is one way of achieving this.

 

Depending on the network protocol you’ve selected, you can use this menu to drill down to fine details including how much data is being transported (the Bytes option), or highlighting a particular sort of traffic (choose Analyze, then Enabled, then put a check mark on the specific protocols you need).

 

Remember to choose File, Save as to get an analysis document to study. This output may be converted to a spreadsheet file, by using the File, Export, File, Save as selection sequence, and choosing .csv as the required file format.

 

In cases of network troubleshooting, it also helps to get two Wireshark analysis sets – one from a problem machine, and one for comparison from a system that’s functioning correctly.

Getting Help And Guidance

There’s user documentation supplied with the Wireshark program itself, and a number of online resources on the software’s website, including online documents and video tutorials. Wireshark also maintains its own wiki.