Wiresark, Tcpdump and

Network Performance ToolsSachidananda Sahu

AGENDA• INTRODUCTION

• WHY AND HOW TO ANALYSE PACKET ?

• FUNDAMENTALS OF ANALYSING NETWORK PACKETS

• PACKET ANALYSIS TOOLS TCPDUMP, TSHARK AND WIRESHARK

• WIRESHARK DESIGN FRAMEWORK

• ANALYZING PROTOCOL USING WIRESHARK

• FILTERS AND STATISTICS IN WIRESHARK

• FUNDAMENTALS OF MEASURING NETWORK PERFORMANCE

• NETWORK PERFORMANCE MEASUREMENT TOOLS BMON, IPERF

• Q & A

• CONCLUSION

• REFERENCES

Radisys Corporation - CONFIDENTIAL

Introduction• In this present era most of the devices are connected with internet.

• They should be AVAILABLE always

• They should be RELIABLE always

• They should PERFORM better always

• Consider a simple home network

• Consider this real time complex network

• Think about a situation if there is problem in one device ?

• So we need some tools • Which can help us to debug , monitor, analyse the data.

• Which can also measure performance and also can give us statistical info.

Image Source: makeuseof.com

Image Source: afnog meet

Why and How to analyse packet ?

Why to Analyse ?

Analyze network problems

Detect intrusion attempts

Identify network misuse

Content monitoring

Bandwidth usage analysis

Gathering network status

How to Analyse ?

Sniff the packets

Analyze the Protocol/Packets

Monitor the Packets

Tools To Analyse ?

Tcpdump, Tshark, wireshark

Nagios, Splunk, Total Network Monitor

And many more …

Fundamentals of analyzing network packets

Switch OS BufferNIC DiskApplicatio

n Buffer

Visualization of a packet in a system

Visualization of data at different layer

Places to analyze packet

Matryoshka doll

Packet Analysis Tools Common points

They act as protocol analyzer

They able to understand the protocols and show us packet by packet.

They relate packets to give info about sequence of packets.

They apply filter to analyze packet of interest.

Tcpdump

Unix-based command-line tool used to intercept packets.

Supports most of the protocols tcp,udp, icmp and many more …

Tshark

Same unix based command line tool

Similar to tcpdump in behavior and option

It also supports extra protocols and new options

Wireshark

Graphical version of Tcpdump/Tshark.

Wireshark has both qt version and gtk version for graphics.

Wireshark Design Framework

Wireshark Traffic Handling

Wireshark System Overview

For the love of Command Line …

Tcpdump/tshark options –D: Shows all interfaces available

-i <interface>

tcpdump –i any <protocolname>

-w <FileToWrite>

-r <ReadFromFile>

-Y <protocolname>

-c <No of packets>

-V show all information about the packets

capinfo <capture filename>

tcpdump –I <interface> host <ipaddress>

-q –z expert shows details of packet staticstics

-q –z expert, error

-q –z expert, hosts

-q –z io, stat,5

For the love of Graphical Interface …

Packet List Panel

Packet Details Panel

Packet Byte Panel

Packet Filter

Let’s

start

Wireshark,

And see the

packet

you are

sending and

receiving in

your system

…

Analyzing a TCP Based Application

Field’s under interest

• Source IP

• Source Port

• Destination Ip

• Destination Port

• Data Transmitted

Image Source: superuser.com

Wireshark Filters

Tools generally capture packets of all types(protocol/host/port etc ) in which we may not be interested most of the time

Filtering in tools helps us to capture/view packets of our interest.

Capture Filter

Capture only interested packets, done during capture phase only

Used to reduce the size of a raw packet capture

Capture filter is nothing but what we do during tcpdump/tshark

tcpdump <protocolname>

Capture->Capture Filters : Add/Delete or select predefined filters

host 192.168.10.2

tcp src port 9000

tcp port 9000 and not src host 192.168.10.2

Display Filter

Capture all, but show only interested packets, applied after capturing all.

Used to hide some packets from the packet list.

Display filter can be applied any time in the wireshark GUI

ip.addr == 192.168.10.2

tcp.port in { 80,12000, 24 }

tcp.port == 80 || tcp.port == 12000 || tcp.port == 24

Wireshark Statistics

Wireshark provides a wide range of network statistics.

Number of captured packets in a session

Number of specific protocol packet (HTTP requests and responses) captured

Statistics -> Summary - overall summary of the packet capture

Statistics -> Protocol Hierarchy - breakdown of the various protocols

Statistics -> Conversations - list of each individual “conversation” between endpoints

Statistics -> Endpoints - list of source and destination addresses

Statistics -> Service Response Time - display the time between a request and it’s

response

Statistics -> Flow Graph – Showing the flow of traffic

Fundamentals of measuring network performance

It is the analysis and review of collective network statistics, to define the quality of services offered by

the underlying computer network.

It helps to review, measure and improve the network services.

Broadly, network performance is measured by reviewing the statistics and metrics of following

parameters.

Speed

Bandwidth

Network Delay,

Latency

Data Loss

Throughput

Fundamentals of measuring network performance …

Fundamentals of measuring network performance

Terms for network performance and monitoring

Speed – Available circuitry data

Network bandwidth or capacity - Available data transfer

Network throughput - Amount of data successfully transferred over the network in a given time

Network delay, latency and jittering - Any network issue causing packet transfer to slow than usual

Data loss and network errors - Packets dropped or lost in transmission and delivery

Packet per second - Number of packets of data per second that can be processed before dropping data

Connection per second - Rate at which a device can establish state parameters for new connections.

Transaction per second - Number of complete actions of a particular type that can be performed per second.

Maximum concurrent connection per second - Total number of sessions (connections) about which a device can

maintain state simultaneously.

Tools for measuring network performance and monitoring

bmon, iperf, iftop, vnstat , nload etc … and more at http://www.slac.stanford.edu/xorg/nmtf/nmtf-tools.html

bmon

It’s a text based badwidth monitor and rate estimator tool which captures bandwidth related statistics and display them visually over command prompt.

Installing

sudo apt-get install bmon

Repo : https://github.com/tgraf/bmon

man bmon

Options

-p : specific interface

-r : read interval from source

-R : update rate per counter

Input modules

Netlink ,Proc ,Netstat

Output modules

Curses, Ascii, Format, Null

Usage

bmon –p eth0,eth1

bomn –p eth0 –R 5

bmon –p eth*,!eth2

iperf It measures the bandwidth and the quality of a network link. Jperf also does the same with additional graphical interface.

It creates TCP,UDP,SCTP data streams by tuning various parameters and gives idea about network’s bandwidth, delay, jitter and data loss values.

Currently updated version is iperf3

source code https://github.com/esnet/iperf

sudo apt-get install iperf3

Iperf3 options

-s server

-c client

-t test duration timing

-i periodic interval report

-f [kmKM] formatting option

-d, -r bi-directional bandwidths

-p Specific port number

-w TCP window size

-b bandwidth setting

-u set to udp

-M maximum segment size

-P parallel streams

Iperf usage

Usage

iperf3 –s

Iperf3 –c <serverIp>

Iperf3 –c <serverIp> -f K

Iperf3 –c <serverIp> -r

Iperf3 –c <serverIp> -d

Iperf3 –c <serverIp> -t 15

Iperf3 –c <serverIp> -i 2

Iperf3 –c <serverIp> -w 1200

iperf3 -c 10.1.1.1 -P 2

iperf3 –s –p 8001Iperf3 –c <serverIp> -p 8001

Iperf3 –c <serverIp> -u –b 1M

iperf3 –sIperf3 –c <serverIp> -M 1300 -m

iperf3 –s -u

Q & A

Conclusion

Tools helps us to debug the network better.

Tools helps us to understand the problem.

Tools helps us to know the current performance.

Tools helps us to know about usage utilization.

Tools helps us to know about any security issues present in network.

Tools helps us to experiment the new network technologies.

References

www.wireshark.com

www.iperf.fr

https://www.tecmint.com/

http://www.cisco.com/c/en/us/about/security-center/network-performance-metrics.html

https://openmaniak.com/

SharkFest 2014, Andrew Brown

Man page of tcpdump, wireshark, bmon, iperf

Cliff Zou’s wireshark lecture

Rich Macfarlane’s Lab

Packet analysis using wireshark by Lisa Bock, Pennsylvnia College of Tech.

Wireshark 101 ppt By Ravi Bhoraskar & book by Laura Chappell

Some images, texts borrowed/stolen generously from all over the internet

and some personal experience …

Life is easy with wireshark …

Happy Wiresharkking

Thank You