Introduction of Wireshark Capture

Contents

1

2

4

A Brief Introduction of Wireshark

How to Capture Wireshark Packets

Case Study

3 Display and Analyze the Packets

1997

Gerald Combs started to develop Ethereal.

1998

First edition v0.2.0 came out, and more people joined into the improvement of Ethereal.

2006

Ethereal was renamed as wireshark due to the trademark issue.

2014

Wireshark is still world’s most popular network protocol analyzer.

History of Wireshark

A Brief History of Wireshark

Wireshark is a free and open-source packet analyzer, used for network

troubleshooting, software and communication protocol development, etc.

Main Functions of Wireshark

Capture live packet data from a network interface

Display the packets with detailed protocol information,

occurring time, source, and destination

Filter and Search packets on many criteria to get the ones you

are looking for

Open and Save packet data captured

Import and Export packet data from and to a lot of other

capture programs

…and a lot more

Note: Wireshark only captures existed packets on the network, won't produce and

send new packets to the network.

2

1

4

How to Capture Wireshark Packets

A Brief Introduction of Wireshark

Case Study

3 Display and Analyze the Packets

Contents

① Situation 1: Network issues between your PC and IPC/DVR Example: You are running iVMS-4200/Web browser on your PC, trying to live view/playback

the video from the IPC/DVR but failed. If you want to capture the communication packets

between your PC and IPC/DVR, just run the wireshark on the PC, and start capture.

② Situation 2: Network issues between your IPC and NVR

Example: To capture the communication packets between IPC and NVR, you can either

capture on IPC side or NVR side. Taking NVR side as example: unplug the network cable of

NVR plug the cable into a hub connect both the NVR and capture PC into the hub, then

start capture. (You can also use switch with port mirror function to replace the hub here.)

IPC, DVR/NVR, VMS, PC, switch, gateway, and other network devices have

built a huge network system. To capture the packets we want, where should

we install the wireshark?

Network

Situation 1

Network

Situation 2

Hub

Understand Where to Install Wireshark

Step 1 – Download wireshark from

http://www.wireshark.org/download.html

Step 2 Install and run wireshark on the capture PC, click File >> Interfaces

Step 3 – Select the interface you want to capture, then click on Start after

the interface to capture, or click on Option to enter advanced capture

setting.

How to Capture Network Packets

Capture Interface

Capture Filter

Display Options and Name Resolution

Stop Capture Rule

Use new capture file when a specific trigger condition is reached.

If you know the size of packet you capture, you can set the limit packet size here.

Uncheck this option to capture only the packets going to or from your computer (not all packets on your LAN segment)

Step 3 – Advanced Capture Options

Step 3 – Capture Filters

Step 4 – After the capture starts, duplicate the network issue you

encountered on the IPC/DVR/VMS.

Step 5 – Stop the capture, then save the capture file.

How to Capture Network Packets

3

1

4

Display and Analyze the Packets

A Brief Introduction of Wireshark

Case Study

2 How to Capture Wireshark Packets

Contents

Display Filters

Supported Protocols

Protocol Details

Display Filters

Comparison Operator

English C Language Meaning

eq == equal

ne != not equal

gt > Greater than

lt < Less than

ge >= Greater or equal

le <= Less or equal

Logical Operator

English C Language Meaning

And & Logical And

Or || Logical Or

Xor ^^ Logical Xor

Not ! Logical Not

ip.addr == 10.1.1.1 Display the packets whose source/destination ip is 10.1.1.1

ip.src = 10.1.2.3 and ip.dst != 10.4.5.6 Display the packets whose source ip is 10.1.2.3 and whose destinaation ip is not 10.4.5.6

ip.src = 10.1.2.3 and ip.dst != 10.4.5.6 Display the packets whose source ip is 10.1.2.3 and whose destinaation ip is not 10.4.5.6

tcp.port == 25 Display the tcp packets whose source/destination port is 25

snmp || dns || icmp Display snmp/dns/icmp packets.

tcp.dstport == 25 Display the tcp packets whose destination port is 25

Display Filters

In the form displays the information selected packet in details, and they are divided into different

groups according to the OSI layer.

Packet Details

On the left is packet details pane, and on the right is packet bytes pane shows the data details in a

hexdump style.

-- The network interface used in capture

-- Indicate the capture state: in progress or stopped

-- Saving path of the capture file, and the size of captured packets

-- No. of captured packets, No. of displayed packets, No. of marked packets

Packet Display Panel

Device is not connected

TCP handshake between VMS and DVR

Heartbeat between DVR and VMS

RTP frame of the video stream is consequent.

Capture Device Basic Packets

RTSP Protocol

1. Streaming Protocol

2. Encoding Standard

3. Streaming Port 4. Channel No. 5. Stream Type

UPnP enabled device sending packets to the network, including device location, uuid, and device basic information

Capture Device Basic Packets

Get the Network Parameter of DVR

Get the Network Parameter of Disconnected DVR

4

1

2

Case Study

A Brief Introduction of Wireshark

How to Capture Wireshark Packets

2 Display and Analyze the Packets

Contents

Case study: Customer tries to remotely live view/playback DS-7316HFI-ST DVR

on IE and iVMS-4200, he finds that live/view and playback on IE are good, live

view on 4200 is good, but playback on 4200 prompts fail message. Below is the

wireshark capture of playback failure on iVMS-4200.

Conclusion: Using display filter to find related tcp packet, 0x320 in Hex is 800 in decimal, 800 means device is running out of network bandwidth. For the DS-7300HFI-ST (60Mbps in total), one channel playback on iVMS-4200 consumes 12Mb bandwidth. Hence, if there is no over 12Mbps available bandwidth, it prompts failure message playing back on the iVMS-4200.

Case Study – Playback Failure on iVMS-4200

NTP communication packets between NTP

server and client

The source/dst IP and port of NTP request

Synced UTC time

Case study: Using wireshark to capture DVR’s NTP packets.

Case Study – NTP

Stream media server is running

Stream media server is closed

While using iVMS-4200 to live view the cameras via stream media server, you will be able to capture the stream packets if the stream media server successfully forwards the video stream.

Case study: Using wireshark to capture stream forwarding packets via stream media server.

Case Study – Stream Media Server

Case Study: Customer installed Liftmaster gateway to his router to control the gate via network, after he plugs

DS-9600NI-ST V3.0.0 NVR to the same router, Liftmaster stops working. And it works again as soon as he unplugs

the NVR. Below are captured broadcasting packets, the cause is found to be that some UDP destination ports of

the broadcasting happens to be the working port of liftmaster, and it might has caused port interference. In

V3.0.2 firmware, this broadcasting for third-party IPC at an interval of 15 seconds has been changed to broadcast

once while NVR’s booting up.

Broadcast on UDP port 3702 - 2 packets of approximately 1670 bytes every 17 seconds ---ONVIF IPC

Broadcast on UDP port 10670 - 1 packet of approximately 100 bytes every 17 seconds ---Panosonic IPC

Broadcast on UDP port 2380 - 1 packet of approximately 60 bytes every 17 seconds ---SONY IPC

Broadcast on UDP port 10001 - 1 packet of approximately 76 bytes every 17 seconds ---SANYO IPC

Broadcast on UDP port 1757 - 1 packet of approximately 60 bytes every 17 seconds ---BOSCH IPC

Broadcast on UDP port 6005 - 1 packet of approximately 60 bytes every 17 seconds ---ACTi IPC

Broadcast on UDP port 69 - 1 packet of approximately 64 bytes every 17 seconds ---ARECONT IPC

Broadcast on UDP port 7701 - 1 packet of approximately 300 bytes every 17 seconds ---SAMSUNG IPC

Broadcast on UDP port 4022 - 1 packet of approximately 120 bytes every 17 seconds ---HUNT IPC

Multicast to 224.0.0.251, UDP port 5353 - 2 packets of approximately 88 bytes each every 17 seconds ---AXIS IPC

Third-party IPC Online Search

Case Study – Third-party IPC Online Search