WIRESHARK Introduction 18532How to efficiently use the

Most Popular Network Analysis Tool

Thursday, March 3, 2016: 12:30 PM-1:30 PM

Matthias Burkhard IBM Germany de.linkedin.com/in/mreedetwitter: @mreede

InsertCustomSessionQR if Desired.

Preferences – Adding Columns

2

• Wireshark is great but can even get better in suiting your needs

Coloring Rules – Enterprise Extender

3

• Line 24– Line 22

• Line 22– Line 20

WIRESHARK – Coloring Rules TCP

4

• Filter on host name(s)

Filter Expressions – eq, in { }, contains

5

• The best filters right at your fingertips

Filter 'Buttons' – Enterprise Extender

6

Statistics Flow Graph– Enterprise Extender

7

• Statistics Flowgraph UDP 12000 LDLC traffic

• Name resolution done via hosts file

Filter 'Buttons' right were you need them

8

Switching Profiles: EE –> TCP

9

Follow TCP Stream: Hidden TLS

10

Edit Preferences: Adding SSL/TLS Ports

11

Edit Preferences: Adding SSL/TLS Ports

12

Edit Preferences: Providing Master-Secrets

13

Edit Preferences Columns: Decrypted HTTP2

14

Coloring rule: Decrypted HTTP2 OK

15

Filter Button: Eureka!

16

Edit Preferences: Adding SSL/TLS Ports

17

Statistics Stream Graph: Stevens

18

Statistics Stream Graph: Round Trip Time

19

Statistics Stream Graph: Window Scaling

20

Display Filters: Slow TCP connections

21

Display Filters: Slow TCP connections

22

• Sophisticated Filters can be stored in the Profile

0.19 < tcp.time_delta < 0.3 && (tcp.len==0 || (0 < tcp.len < 1360))0.19 < tcp.time_delta < 0.3 && (tcp.len==0 || (0 < tcp.len < 1360))

Display Filters: up_down tcp.flags&7

23

• Combine filters to get what you needhttp2.header.name == "server" or tcp.flags&7 or ssl.record.content_type==21

How many FINs do we need?

24

• Who is closing the session and why ?

Meet me at SHARE San Antonio,Tx 2016

MQ IPCS Socket Analysis Session 18531

WIRESHARK Introduction Session 18532

WIRESHARK Hands-On Lab Session 18533

25

hhttps://ibm.biz/MQ-Songhttps://ibm.biz/MQ-Song

Hhttps://ibm.biz/MQ-IPCShttps://ibm.biz/MQ-IPCS

Hhttps://ibm.biz/SHARKatSHAREhttps://ibm.biz/SHARKatSHARE

de.linkedin.com/in/mreedetwitter @mreede

Meet me at SHARE San Antonio,Tx 2016

MQ IPCS Socket Analysis Session 18531

WIRESHARK Introduction Session 18532

WIRESHARK Hands-On Lab Session 18533

26

hhttps://ibm.biz/MQ-Songhttps://ibm.biz/MQ-Song

Hhttps://ibm.biz/MQ-IPCShttps://ibm.biz/MQ-IPCS

Hhttps://ibm.biz/SHARKatSHAREhttps://ibm.biz/SHARKatSHARE

de.linkedin.com/in/mreedetwitter @mreede

• Enterprise Extender and TN3270 Profile – SNA over IP Protocols

– Telnet TCP port 23

– EE UDP ports 12000-12004

WIRESHARK

27

WiresharkWiresharkBootcampBootcamp

• Line 24– Line 22

• Line 22– Line 20

WIRESHARK – Filter Expressions

28

• Line 24– Line 22

• Line 22– Line 20

Statistics Conversations

29

• Line 24– Line 22

• Line 22– Line 20

Statistics Conversations

30

• Allows multiple graphs to be drawn– Any filter combination – Various graph types

● Line, Bar, Dot, Square, Diamond

– More Colors

• Can be saved in wireshark Profile

WIRESHARK V2 Statistics IO Graph

31

• TCP– ACK

– dupACK

• For SMB

– Create

– Close REQ

– Close RSP

WIRESHARK V2 Related Packets

32

• Easy Navigation– Based on Coloring

Intelligent Scrollbar

33

• Throughput– rwin – cwnd– RTT

– Packet Loss

Statistics Stream Graph

34

• WindowScaling– rwin – cwnd– RTT

– Packet Loss

Statistics Stream Graph

35

• Throughput– rwin – cwnd– RTT

– Packet Loss

Statistics Stream Graph

36

• Throughput– rwin – cwnd– RTT

– Packet Loss

Statistics Stream Graph

37

• WindowScaling– rwin

Statistics Stream Graph

38

• SMB Performance– rwin – cwnd– RTT

– Packet Loss

Statistics IO Graph

39

# This file is automatically generated, DO NOT MODIFY."Enabled","Packets","ip","#8c3700","Impulse","Packets/s","","0""Enabled","Windowsize","ip.ttl<128","#fce94f","Dot","MAX(Y Field)","tcp.window_size","0""Enabled","inFlight","tcp.analysis.bytes_in_flight and ip.ttl==128 and !tcp.analysis.retransmission","#4e9a06","Dot","MAX(Y Field)","tcp.analysis.bytes_in_flight","0""Enabled","RTT","tcp.srcport==445 and tcp.analysis.ack_rtt < 0.3","#204a87","Line","MAX(Y Field)","tcp.analysis.ack_rtt","0""Enabled","GAP","tcp.options.sack_le","#fcaf3e","Bar","MAX(Y Field)","tcp.window_size","0""Enabled","DUPACKS","tcp.analysis.duplicate_ack","#fcaf3e","Impulse","MAX(Y Field)","tcp.window_size","0""Disabled","RXMIT"," tcp.dstport==445 and tcp.analysis.retransmission","#ef2929","Dot","MAX(Y Field)","tcp.analysis.bytes_in_flight","0""Disabled","Seq","tcp.dstport==20","#4e9a06","Impulse","MAX(Y Field)","tcp.seq","0""Disabled","Ack","tcp.srcport==20","#729fcf","Line","MAX(Y Field)","tcp.ack","0""Disabled","Outbound","ip.ttl==64","#2e3436","Impulse","Packets/s","","0""Disabled","inbound","!ip.ttl==64","#729fcf","Dot","Packets/s","","0"

Paragraph Copy 14

TCP Stream Graph - Stevens

40

Paragraph Copy 14

IO Graph – Bytes in Flight vs. Windowsize

41

Paragraph Copy 14

IO Graph – Bytes in Flight vs. Windowsize

42

Paragraph Copy 14

IO Graph – Bytes in Flight vs. Windowsize

43

Paragraph Copy 14

IO Graph – Bytes in Flight vs. Windowsize

44

Paragraph Copy 14

IO Graph – Bytes in Flight vs. Windowsize

45

1.3MB/s

2.6MB/s

Paragraph Copy 14

IO Graph – Bytes in Flight vs. Windowsize

46