wireshark introduction 18532 - ibm · • wireshark is great but can even get better in suiting...
TRANSCRIPT
WIRESHARK Introduction 18532How to efficiently use the
Most Popular Network Analysis Tool
Thursday, March 3, 2016: 12:30 PM-1:30 PM
Matthias Burkhard IBM Germany de.linkedin.com/in/mreedetwitter: @mreede
InsertCustomSessionQR if Desired.
Preferences – Adding Columns
2
• Wireshark is great but can even get better in suiting your needs
Coloring Rules – Enterprise Extender
3
• Line 24– Line 22
• Line 22– Line 20
WIRESHARK – Coloring Rules TCP
4
• Filter on host name(s)
Filter Expressions – eq, in { }, contains
5
• The best filters right at your fingertips
Filter 'Buttons' – Enterprise Extender
6
Statistics Flow Graph– Enterprise Extender
7
• Statistics Flowgraph UDP 12000 LDLC traffic
• Name resolution done via hosts file
Filter 'Buttons' right were you need them
8
Switching Profiles: EE –> TCP
9
Follow TCP Stream: Hidden TLS
10
Edit Preferences: Adding SSL/TLS Ports
11
Edit Preferences: Adding SSL/TLS Ports
12
Edit Preferences: Providing Master-Secrets
13
Edit Preferences Columns: Decrypted HTTP2
14
Coloring rule: Decrypted HTTP2 OK
15
Filter Button: Eureka!
16
Edit Preferences: Adding SSL/TLS Ports
17
Statistics Stream Graph: Stevens
18
Statistics Stream Graph: Round Trip Time
19
Statistics Stream Graph: Window Scaling
20
Display Filters: Slow TCP connections
21
Display Filters: Slow TCP connections
22
• Sophisticated Filters can be stored in the Profile
0.19 < tcp.time_delta < 0.3 && (tcp.len==0 || (0 < tcp.len < 1360))0.19 < tcp.time_delta < 0.3 && (tcp.len==0 || (0 < tcp.len < 1360))
Display Filters: up_down tcp.flags&7
23
• Combine filters to get what you needhttp2.header.name == "server" or tcp.flags&7 or ssl.record.content_type==21
How many FINs do we need?
24
• Who is closing the session and why ?
Meet me at SHARE San Antonio,Tx 2016
MQ IPCS Socket Analysis Session 18531
WIRESHARK Introduction Session 18532
WIRESHARK Hands-On Lab Session 18533
25
hhttps://ibm.biz/MQ-Songhttps://ibm.biz/MQ-Song
Hhttps://ibm.biz/MQ-IPCShttps://ibm.biz/MQ-IPCS
Hhttps://ibm.biz/SHARKatSHAREhttps://ibm.biz/SHARKatSHARE
de.linkedin.com/in/mreedetwitter @mreede
Meet me at SHARE San Antonio,Tx 2016
MQ IPCS Socket Analysis Session 18531
WIRESHARK Introduction Session 18532
WIRESHARK Hands-On Lab Session 18533
26
hhttps://ibm.biz/MQ-Songhttps://ibm.biz/MQ-Song
Hhttps://ibm.biz/MQ-IPCShttps://ibm.biz/MQ-IPCS
Hhttps://ibm.biz/SHARKatSHAREhttps://ibm.biz/SHARKatSHARE
de.linkedin.com/in/mreedetwitter @mreede
• Enterprise Extender and TN3270 Profile – SNA over IP Protocols
– Telnet TCP port 23
– EE UDP ports 12000-12004
WIRESHARK
27
WiresharkWiresharkBootcampBootcamp
• Line 24– Line 22
• Line 22– Line 20
WIRESHARK – Filter Expressions
28
• Line 24– Line 22
• Line 22– Line 20
Statistics Conversations
29
• Line 24– Line 22
• Line 22– Line 20
Statistics Conversations
30
• Allows multiple graphs to be drawn– Any filter combination – Various graph types
● Line, Bar, Dot, Square, Diamond
– More Colors
• Can be saved in wireshark Profile
WIRESHARK V2 Statistics IO Graph
31
• TCP– ACK
– dupACK
• For SMB
– Create
– Close REQ
– Close RSP
WIRESHARK V2 Related Packets
32
• Easy Navigation– Based on Coloring
Intelligent Scrollbar
33
• Throughput– rwin – cwnd– RTT
– Packet Loss
Statistics Stream Graph
34
• WindowScaling– rwin – cwnd– RTT
– Packet Loss
Statistics Stream Graph
35
• Throughput– rwin – cwnd– RTT
– Packet Loss
Statistics Stream Graph
36
• Throughput– rwin – cwnd– RTT
– Packet Loss
Statistics Stream Graph
37
• WindowScaling– rwin
Statistics Stream Graph
38
• SMB Performance– rwin – cwnd– RTT
– Packet Loss
Statistics IO Graph
39
# This file is automatically generated, DO NOT MODIFY."Enabled","Packets","ip","#8c3700","Impulse","Packets/s","","0""Enabled","Windowsize","ip.ttl<128","#fce94f","Dot","MAX(Y Field)","tcp.window_size","0""Enabled","inFlight","tcp.analysis.bytes_in_flight and ip.ttl==128 and !tcp.analysis.retransmission","#4e9a06","Dot","MAX(Y Field)","tcp.analysis.bytes_in_flight","0""Enabled","RTT","tcp.srcport==445 and tcp.analysis.ack_rtt < 0.3","#204a87","Line","MAX(Y Field)","tcp.analysis.ack_rtt","0""Enabled","GAP","tcp.options.sack_le","#fcaf3e","Bar","MAX(Y Field)","tcp.window_size","0""Enabled","DUPACKS","tcp.analysis.duplicate_ack","#fcaf3e","Impulse","MAX(Y Field)","tcp.window_size","0""Disabled","RXMIT"," tcp.dstport==445 and tcp.analysis.retransmission","#ef2929","Dot","MAX(Y Field)","tcp.analysis.bytes_in_flight","0""Disabled","Seq","tcp.dstport==20","#4e9a06","Impulse","MAX(Y Field)","tcp.seq","0""Disabled","Ack","tcp.srcport==20","#729fcf","Line","MAX(Y Field)","tcp.ack","0""Disabled","Outbound","ip.ttl==64","#2e3436","Impulse","Packets/s","","0""Disabled","inbound","!ip.ttl==64","#729fcf","Dot","Packets/s","","0"
Paragraph Copy 14
TCP Stream Graph - Stevens
40
Paragraph Copy 14
IO Graph – Bytes in Flight vs. Windowsize
41
Paragraph Copy 14
IO Graph – Bytes in Flight vs. Windowsize
42
Paragraph Copy 14
IO Graph – Bytes in Flight vs. Windowsize
43
Paragraph Copy 14
IO Graph – Bytes in Flight vs. Windowsize
44
Paragraph Copy 14
IO Graph – Bytes in Flight vs. Windowsize
45
1.3MB/s
2.6MB/s
Paragraph Copy 14
IO Graph – Bytes in Flight vs. Windowsize
46