Wireshark II: The Analysis

Find out if those TCP streams on your network are filled with C monsters or if it's smooth sailing for your Internet surfers.
Sunday, November 7th, 2010

Last week, you had the opportunity to look at Wireshark and its ability to easily capture network packets. This week, you’ll take a deeper dive into those Wireshark-infested streams and explore analytical techniques and shortcuts that you can sink your teeth into. Don’t worry, you won’t need a bigger boat to use any of these features.

Wireshark, by itself, is an effective analytical tool and it can point you in the right direction for some trouble spots. For example, if someone on your network has an email virus, you can see those packets, their source and their destination. Unfortunately, you’ll see them mixed in with all of the other packets that you’ve captured. The solution is selective filtering.

Casting a Smaller Net

Take one of your recent packet captures and count the number of “Who Has” broadcasts that you see. Chances are that you have an abundance of them cluttering up your capture. These are ARP requests and they tend to annoy rather than assist in your quest to find problems. Don’t misunderstand that statement. ARP requests are important and can point to problems on your network but unless an ARP “storm” is the root of your problem, there’s too many of them and they distract your attention from the real issues at hand.

You can resolve this problem by using a filter when you perform a packet capture. Using that same recent packet capture, enter “!arp” into the Filter field (See Figure 1) and press the ENTER key to accept. All of the ARP entries should disappear. Now you can focus on potential problems without the extraneous matter fogging your vision.

Figure 1: Removing the ARP Entries from a Packet Capture
Figure 1: Removing the ARP Entries from a Packet Capture

If you don’t know the correct filter syntax, you can click the Filter button, scroll through the list of common filter selections and choose the one you want to use. Try selecting No ARP and no DNS from the list to see how much your capture changes.

Alternatively, you can select a single packet type of interest and filter on that selection. Select a single packet, right click it, select Apply as Filter and click Selected to accept the change. See Figures 2 and 3 for reference. Note the change in your display. You can apply filters before or after a packet capture event. To return to your original capture, click the Clear button.

Figure 2: Applying a Packet Filter
Figure 2: Applying a Packet Filter

Figure 3: Viewing the Filtered Results
Figure 3: Viewing the Filtered Results

Let Out Your Command Line

Comments on "Wireshark II: The Analysis"

paulquater

Free capture upload and analysis: http://www.networktimeout.com

November 11th, 2010 at 8:49 pm
Reply
lupin492

Thanks! I have to use Wireshark sometimes, but I didn know a couple of things you pointed out.

November 16th, 2010 at 12:54 am
Reply
jonl711

I use Wireshark a lot but I still cannot find any information on detecting viruses and malware. if it’s out there it would be much appreciated if I can be pointed in the correct direction. e-mail me at jlmiller@mmtnetworks.com.au

January 10th, 2011 at 11:51 pm
Reply

Leave a Reply to jonl711 Cancel reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>