IP Network Troubleshooting Part 3 Wayne M. Pecena, CPBE, CBNE Texas A&M University Educational Broadcast Services - KAMU February 2016
Today s Outline: Focused Upon Protocol Analysis with Wireshark Review of Wireshark Basics & How to Capture Network Traffic Creating Custom Wireshark Views Creating Custom Pre & Post Wireshark Filters Detailed Capture Analysis Examples Alternatives to Wireshark & Why Might These Might Be Considered Additional Useful Tools Takeaways, Questions, and Maybe Some Answers 2
Review of Wireshark Basics & How to Capture Network Traffic 3
Obtain & Install Wireshark Available for Windows, Mac OSx, & Linux Download (current v2.0.1): www.wireshark.org Be Sure to Include Libraries: WinPcap (Windows) Libpcap (Unix/Linux) Install Start Wireshark Select Interface Click Start CTRL+E will Stop You Have Created a PCAP File! View & Analyze Results Save For Later Analysis
Wireshark Host Requirements Windows 10, 8, 7, Vista, Server 2016, Server 2012, Server 2008 R2, and Server 2008 Apple OSx, Debian GNU/Linux, FreeBSD, Mandriva Linux, NetBSD, Red Hat Enterprise/Fedora Linux, and several others.. 64-bit AMD64/x86-64 or 32-bit x86 processor. 400 MB available RAM. Larger capture files require more RAM. 300 MB available disk space. Capture files require additional disk space. 1024 768 (1280 1024 or higher recommended) resolution / 16 bit color minimum. A supported Network Interface Keep in Mind: Don t Use Your Old Retired PC As an Wireshark Capture Host Capturing on a 100 Mbps network can produce hundreds of megabytes of capture data in a very short time. A fast processor, lots of memory and disk space is always a good idea. 5
Captured Packet(s) Selected Header Data Decoded Payload Data Decoded Hexadecimal & ASCII
Application Presentation Session Transport Layer 3 Device Application Presentation Session Transport Network Layer 2 Device Network Network Layer 2 Device Network Data Link Data Link Data Link Data Link Data Link Data Link Data Link Data Link Physical Physical Physical Physical Physical Physical Physical Physical 7
Encapsulation OSI Model 7 6 5 4 3 2 1 Data Flow Layers Transport Network Data Link Physical Protocol Data Unit Segments Packets Frames Bits 8
Where to Tap? Problem Nature Often Determines: At Problem Host At Destination Host Mid-Network Locations Accessibility May Also Drive Tap Point Remember: Interfaces are Bi-Directional
How to Tap Ethernet & Capture Packets Can Be Challenging! How to Capture? UTP Ethernet: Physical Passive Tap Active Tap Optical Ethernet: Physical Passive Tap Active Tap Ethernet Switch Port Mirror Run Wireshark on Client Host if Possible
Active Tap Devices UTP Taps Optical Taps
Shared Media Approach 100 Mbps Maximum Half-Duplex Only Host Device A Ethernet Hub Host Device B Commonplace In Wireless Environment Wireshark Capture Host It Was Simpler In The Past Half-Duplex Shared Media Networks Not Commonplace Today 12
Switched Media Approach Host Device A Ethernet Switch Host Device B Normal Ethernet Switch Operation Prevents Network Traffic Between Host A and Host B To-Be-Seen by the Wireshark Capture Host Wireshark Capture Host 13
Switched Media Hub Approach Host Device A Ethernet Switch Ethernet Hub Host Device B Works, But Downgrading Network To Half-Duplex Ethernet Switch Now Sees 2-MAC Addresses (problem if switch-port security is enabled) Wireshark Capture Host 14
Switched Media Tap Approach Host Device A Ethernet Switch Ethernet Tap Host Device B?? Works, But Often Costly Especially When GigE UTP Or Optical Network Involved Wireshark Capture Host 15
Switched Media Monitor Port Approach Host Device A Ethernet Switch Monitor Port Enabled Host Device B Monitor Port Recommended Approach (where possible) Wireshark Capture Host 16
Keep In Mind! Host Device A Ethernet Switch Monitor Port Enabled Host Device B 500 Mbps Network Traffic 500 Mbps Network Traffic Monitor Port 1000 Mbps Network Traffic Limitations: Bad Frames Not Mirrored No VLAN Tags Passed Caution With RTP Network Traffic Wireshark Capture Host Remember: Tapping a Network Can Be Challenging! 17
Cisco Ethernet Switch SPAN Port Host A Host B Port 1 Port 23 config t Switched Port Analyzer (SPAN) Port Port 14 monitor session 1 source interface fa0/1 monitor session 1 source interface fa0/23 monitor session 1 destination interface fa0/14 exit Wireshark Host
HP Procurve Ethernet Switch Port Mirror Host A Host B Port 1 Port 23 HP Procurve 2915 Port 14 Mirror or Monitor Port config mirror-port 14 int 1, monitor (int 1-12, monitor) int 23, monitor Wireshark Host show monitor exit
Creating Custom Wireshark Views 20
frame 192 selected Header Details Displayed Payload Data Decoded (hex & ASCII)
View Screen Layouts 22
Default View Colors 23
Customize Columns 24
Creating Custom Pre & Post Wireshark Filters 25
Filtering Capture Filters Selectively Capture Packets Pre-Capture Configuration Minimizes Amount of Captured Data Display Filters Applied When Viewing Allows Focusing on Attribute(s) All Data is Retained Which One to Use? Reason for Capturing Dictates Proper Filter Use Use Capture Filter When You Know What You Are Looking For Remember: You Can t Display What Has Not Been Captured!
Using Capture Filters 27
Useful Capture (pcap) Filter Examples ip tcp udp host 165.95.240.130 host 165.95.240.128/26 host 165.95.240.128 mask 255.255.255.192 src net 165.95.240.128/26 dst net 165.95.240.128/26 port 80 not broadcast and not multicast http://www.tcpdump.org/manpages/pcap-filter.7.html 28
Using Display Filters 29
Useful Display Filter Examples eth.addr==00:19:c8:c8:22:7f ip ip.addr==165.95.240.130 ip.addr==165.95.240.130 or ip.addr==165.95.240.129 tcp tcp.port==80 udp udp.port==50000 http http://www.firstdigest.com/2009/05/wiresharks-most-useful-display-filters/ 30
Detailed Capture Analysis Examples 31
TCP 3-Way Handshake SYN ACK SYN, ACK Find the 1 st SYN Packet: Edit>Find Packet Enter tcp.flags.syn==1 Right Click on Packet Select Follow TCP Stream 32
ICMP Example 33
Streaming Media Example 34
Wireshark Statistics 35
Alternatives to Wireshark & Why Might These Might Be Considered 36
Fluke Networks Clearsight 37
http://www.riverbed.com/products/steelcentral/steelcentral-packet-analyzer-personal-edition.html http://www.klos.com/products/packetvault/ 38
Additional Useful Tools 39
zenmap nmap security scanner GUI https://nmap.org/zenmap/ 40
Wireless Networks & Wireshark Wireless is challenging! Most 802.11 Network Adapters Do Not Support Promiscuous Mode If Promiscuous Mode is Available You Only See Packets To-From the Host Running Wireshark! You Must Select RF Channel (Wireshark capture options) You Will Only See Packets on That RF Channel Extensively Use Capture Filters! Focus Upon a Specific Client 41
Takeaways, Questions, and Maybe Some Answers 42
Takeaway Points & Concepts: Parts 1-3 Establish a Structured Troubleshooting Approach Avoid Shooting from the Hip Approach(s) Use the OSI Model as a Guide to a Structured Approach Work You Way Up the IP Stack Verify Layer 1 Physical Connectivity Verify Layer 2 Connectivity is Error Free Verify Layer 3 Inter-Networking Use Protocol Analysis to See Network activity 80% of Network Problems is Physical Infrastructure Based Standards Not Properly Applied Guidelines Not Adhered To Don t Loose Sight of 100m Ethernet UTP Segment Limit! 43
Takeaway Points & Concepts. Use Protocol Analysis to See Network Host Interaction Wireshark Is The Most Popular Protocol Analyzer Understanding the OSI Model & TCP/IP Protocol Action is Key to Understanding Wireshark Results Understand How & Where to Capture Network Activity Filtering is Essential to Find the Needle in the Haystack Capture Filters (minimize captured data) Display Filters (minimize displayed info) Customize Your Wireshark Views Verify Everything Yourself Caution Trusting What You Are Told! 44
References Further Study https://wiki.wireshark.org/ https://www.wireshark.org/docs/wsug_html/
Utilize a Structured Process to Troubleshooting! 46
47
Thank You for Attending! Wayne M. Pecena Texas A&M University wpecena@sbe.org 979.845.5662? Questions? 48