Many of us are familiar with the GUI version of Wireshark, but believe it or not but there are also a slew of other command line based utilities that enhance Wireshark and also aid us in capturing and analyzing data. Let’s take a quick look at some of these tools.
- tshark – This is pretty much the CLI equivalent of Wireshark. Allowing you to capture packets like you are using tcpdump, specifing interfaces, filters, etc. It’s definitely worth taking the time to get familiar with tshark.
- dumpcap – This is another CLI equivalent of Wireshark, however this utility writes directly to a file and is less feature-rich then its ‘tshark‘ equivalent. Think of this as the cheap and dirty Wireshark, hop into a system and initiate a dumpcap then boom you have your capture.
- mergcap – As the name implies, this tool allows you to merge multiple captures files into a single capture. Since, Wireshark does have a limitation on processing large file sizes you also have the ability to truncate packets after so many bytes. Similar to what we will do with editcap shortly.
- editcap – This is very nifty, allowing you to do many different things:
- Pick out specific time frames of a packet capture.
- Remove duplicate packets. In case you accidentally captured at multiple locations or fubar-ed your SPAN or TAP locations.
- Truncate packets after so many bytes. This is very handy incase you only want to look at packet headers.
In the below example I am taking an existing PCAPNG file and limit every packet to 40 bytes into a new file filter.pcapng. So you can decrease the file size making it easier for Wireshark process while still keeping the header information. 40-bytes is a bit much but hey it gets the point across.
- capinfos – Provides detailed information about the packet capture in question.
- Average Packet Size
- Time stamp information
- Data rate or packet rate
In the GUI you can get most of this information from the ‘summary‘ -> ‘statistics‘ page which I covered in a previous post, but the CLI version can provide quick and easy access to this information without the need to even launch Wireshark.
Sample output from capinfo is below:
Well, my first draft got lost in the cloud so let’s try this again!
The more you use Wireshark and the more familiar you get with protocols / packet analysis the quicker you realize what you may need to for. Luckily for us, if we know what we are looking for we can configure Wireshark to turn that needle in a haystack into a firework on the middle of Halloween. It does this by giving us the flexibility to control what information Wireshark displays to us and how Wireshark displays that information. The two most useful features we have are profiles and coloring rules, both of these are very powerful features and using both of these features together allows you to take your analyzing skills to the next level.
Profiles – Profiles give us the ability to control what information Wireshark displays to us, and how the information is displayed.
- Affecting the complete layout of the Wireshark display
- What columns are displayed in the Wireshark display
- Which coloring rules are in affect
Now, that we know some of the ways profiles affect Wireshark lets consider a few good use cases for profiles, below are a few profiles I have.
- Wired-VoIP – This profile will call out the DSCP field as specific column to easily keep an eye on QoS marking.
- Remote-Site-VPN – Calls out specific columns for the DF-Bit, IP & TCP length, and more fragment field.
- Wired-Transaction-Time – Contains specific columns for relative time & absolute time, etc.
Those are just a few ways profiles can be leveraged, and remember it is easy enough to flip from one profile to the next. There is no need to even close the current capture or restart Wireshark. This allows to quickly scroll through a single capture looking for key characteristics.
Coloring Rules – These coloring rules define how Wireshark displays the individual packets, it’s these same coloring rules that make re-transmissions show up in red. It’s important to remember that coloring rules are match from top-to-bottom and they will by specific criteria found in the packet. These coloring rules are tied to specific profiles, so you definitely want to keep in mind what profile you are working under.Below are a few of my coloring rules:
- WLAN-RETYU-PACKET – This filter looks to see if the packet is a retransmission of the RF medium. Might be useful if you are troubleshooting a WLAN performance issue.
- FRAG-PACKET – This rule calls out any fragmented packets by keeping an eye out on the ‘More Fragments’ bit. Could be a useful statistics if you working on performance issues in remote IPSec VPN locations.
- Kerberos_MSG – This filter actually picks any kerberos related packets, cause sometimes when Windows says the login failed due a network timeout it might really be due to a kerberos authentication issue. (FYI: Kerberos type 30 messages are errors. So you can be a bit more specific with this filter if desired)
- PC-1500-MTU – This Filter actually matches on two packet fields. First we make sure the packet is a ‘SYN’ packet, and then look to see if the TCP Max Segment Size is at 1460 which ideal for Ethernet networks. Sequentially, there is also a coloring rule for when the PC advertises a MSS that is not 1460. (PCI-NOT-1500-MTU)
Those are just a few examples to show how powerful the coloring rules can be, we can match on any field within the packet regardless of whether it is the Layer 2 MAC address or a piece of data with the application payload. Not mention we can match by multiple fields at the same time, talk about potential! The only thing I want to re-iterate is the matching is top to bottom, so in this example when Wireshark finds a Kerberos message it will hit the first coloring rule and no other even it is a retransmission. That is just something to keep in mind.
You can verify why a coloring rule is in affect by looking at the ‘Frame’ portion of the packet:
From the above, you can see which coloring rule we hit and why we matched this specific coloring. Very useful in the event we ever need to troubleshoot our own coloring rules.
So, now that we spent all this time creating profiles and coloring rules how do we back them up or transfer them to another laptop/desktop? Well, all these configurations can be transferred and backed up by copying only a few folders. If you are running Windows 7, you’ll find this under AppData\Roaming\Wireshark for your specific windows account.
It’s the Profiles folder we really want, once we take a look in there we see our specific profiles. Although you will probably be better off just copying the entire ‘Wireshark’ directory.
I wanted to start off stating Brocade broke one of the biggest barriers with getting involved with SDN and labbing out the technology. Brocade offers a free download of their Vyatta Controller! With this free download you can run a 5x node SDN network for one year, included with 60x days of support! This eliminates a huge obstacle of actually purchasing the software, sure you may still require the hardware but Brocade SDN Solution features support for OpenDaylight/OpenFlow so you do have many different hardware options.
Now, that I got that out of the way my two favorite pieces of the Brocade was 1. The technical overview of the Vyatta controller and it’s architecture, it was great to see how to the services overlay on each other and what makes it tick. Usually when it comes to some type of SDN solution it’s usually presented as some type of application that does magic. In this case however Brocade definitely did their due-diligence to cover how their controller actually functions. The 2nd thing I loved about this presentation was just how frank and up-front the presentation was. My favorite quote of the whole the presentation was “We know how to code, we went to school. We chose not to program we went into networking.” I can’t say how happy I was to hear someone actually say this! However like it was mentioned in the presentation it appears to be a natural evolution of the field.
As the presentation continues, you really get a sense about how far along the Vyatta controller has come along once the conversation steers towards volumetric traffic management. Having the additional and built-in monitoring of the traffic flows with sFlow and OpenFlow addressing a level of application performance management many current-day data centers frankly do not even have in place today just shows how grown up the tool is becoming. This is built upon again with the flexibility to handle elephant flows differently than other typical data flows, if you are not familiar with the term elephant flows these are just traffic flows that transfer a very high amount of traffic (IE: Something like backup traffic). I can’t tell you how many few companies I’ve worked with in the past that have actually taken into account these ‘elephant flows’.
Now, I don’t want to ruin the whole presentation for you, if you have not watched it yet I highly recommend you give it a watch. There also a great slide in there about Ivan! If you think SDN is still a mystery it’s time to get that Vyatta controller downloaded and running! No more excuses!
You can download the Vyatta Controller here.
Brocade’s Networking Field Day #9 videos can be found here:
With Cisco Live US ( #CLUS ) 2015 slowly approaching, It’s becoming a popular topic and the question comes up, “Do you think it’s worth going to CLUS?”
Like most questions I answer I start with “Well, it kind of depends what you are going for”, CLUS is a big event and there is plenty to do. So it is safe to assume you (more than likely) will not be able to do everything you want. I’ve spoken to a lot of people who are planning on going to Cisco Live and you can almost classify everyone into one of two categories:
- The technical person – Someone who loads up their schedule with the most in-depth technical sessions that interest them, and may also hang around the testing center to take advantage of the free exam and/or the 50% discount on exams during the conference. The Cisco Store is also more than likely on your list of places to hit, loading on Cisco merchandise or Cisco Press with discounted prices is totally worth checking. You might run through the World of Solutions to get some vendor swag and see what’s going on the industry from some of the bigger vendors and see what new products are hitting the market. More than likely you will be watching the clock getting ready to run to your next session.
- Some other items on your list might be:
- Meet the engineer – Is there some technology you really want discuss in depth or just discuss one-on-one with a Cisco engineer, well here is you chance!
- TAC Walk-In Clinic – Got some issue that been bugging you or some a burning technical question, well go chat with some TAC engineers they are always more than willing to help.
- Some other items on your list might be:
- The social person – Your first stop is the Social Hub, what better way to start CLUS then with all you Twitter friends at the Tweet-Up. The certification lounge is a great pit stop for chatting about your certification studies, but the Social Hub is where it’s at keeping track of the #CLUS hashtag and you can even watch the keynotes from the kozy couches. By meeting so many people you quickly know where to hang out at night when the conference ends, there’s usually a party every night you just need to know where to find it!
- The World of Solutions is your next favorite place, what’s more fun than a scavenger hunt the #CLUS scavenger hunt!
- When the conference is over with at the end of the day you don’t care because you already know where everyone is heading.
Or… you can grab a few coffees in the morning and then a few espresso shots in WoS and try to do everything!! Like I do, 4-days of Cisco goodness, got to make the most of it!
No matter what reason you have for attending Cisco Live, you are destined to have a good time. Who’s looking forward to this years CLUS backpack and this years CAE Hat?
If you have not registered, make sure you do! You can register here!
*There are way than two types of people that attend CLUS, but for the sake of comic relief lets say there are only two.
I first need to give a shout out to @_vCarly and her amazing skills at the white board, I only wish my white boarding design were half clean as that! If @_vCarly were to a host a white boarding session at CLUS this year I would most likely attend!
I suppose we should discuss the actual presentation now! Like probably many of you I have heard an awful lot about Cisco SDN and Controllers (Cisco ACI) however until now it has all been theory and hear-say. I can finally say I’ve seen the GUI and got to hear a deep dive of how this new architecture is supposed to work. Now, that I have seen it I am believer there is a lot of potential here and allow us to re-think the way we consider designing Data Center networks and here is why I think that:
- Building around the application, with this new design model we are almost forcing the application designer & server administrations to tell how their servers/applications work and communicate on the network. I have a spent a lot of time with AppDev’s going over what their application does and what else the App communicates in order to troubleshoot an issue. This approach removes much of the hassle without ever seeing the hassle. Future engineers might not know ‘the struggle’ of discovering an application via packet analysis and bridge calls.
- Deployment Orchestration – by specifically calling out the application and the service chaining from the get go, deploying a new application is much more streamlined and simplified in the long run when internal process are stream-lined. Eliminating the time-consuming need to:
- Login to multiple networking devices to configure SVI’s & Trunks
- Login to multiple firewalls creating the appropriate rules.
- Login to Load balancers and creating devices pools, health monitoring, virtual servers, and so forth.
- Troubleshooting and flow monitoring – Out of the box this box will be watching flow statistics. So tracking traffic statistics can easily pin-point packet loss and drops. Which may mean bad news some of the simpler NMS solutions out there unless they start looking beyond the typical Up/Down & Interface utilization mantra.
- Something that was brought up on Twitter post-event was the support for SNMP, which is a great question since SNMP was never mentioned (in any of the SDN-related presentations for that matter).
Now, with all that said and the fact Cisco ACI builds a Data Center around EPG’s (End Point Groups) I really look forward to this new design architecture. It’s probably going to be a bit more tedious up front since some applications will need to be called out specifically instead of going “O, that is a web server. Place it on this VLAN” but in the long run this will streamline many different parts of data center operations.
Links to the Networking Field Day 9 presentations below:
How about that, 2 blogs posts in one day! However this is going to a real quick post so it shouldn’t count but hey there is a picture so it’s legit! I caught wind of this announcement on twitter late last night and just needed to put a small post about it. Mainly because some time ago I posted about the EoS announcement for the traditional IPS Modules, and I ended that blog post with the following question:
Well, that question has been answered. On 2/16/2015 Cisco announced the EoS / EoL timeline for the ASA-CX Modules as well the Cisco Prime Security Manager which was the management tool the CX-Modules. Along with same basic management functionality for the Cisco ASA Firewalls themselves.
Looks like the Official EoS date is 8/17/2015
With a final hardware support date of 8/31/202
You can view the full EoX timeline for the ASA-CX Module and PRSM here. The time line is too large for me grab in a single screenshot so I figure a direct link is the next best thing.
One thing I really liked about SolarWinds was the fact they were the first vendor to start with a white board discussion. Being a network engineer I am a big fan of drawing boxes and lines on a white board. To me it is a more engaging way to have a presentation compared pre-built PowerPoint slides with fancy sounds and motions.
SolarWinds initially started with a architecture overview of their product, involving each of their modules and how these modules are incorporated into the entire eco-system. If you are not familiar with this I highly recommend starting with that session.
Now to talk about the new announcements SolarWinds and the features that will be included in their newest releases.
1. Wireless Heat Map – I’ll admit (and this won’t be a surprise to any of my usual readers) I have been following this feature on the Thwack Forums through the different beta’s for some time now and it’s really had my attention since the initial announcement. I was very curious to see how this would match against other solutions such as MSE Controllers and other site survey tools. While this feature might not be as fully featured as the previous mentioned solutions, this is great addition to SolarWinds arsenal and will definitely be useful for smaller shops that run WLANs. However, also keep in mind this is the first implementation of the functionality and if Solarwinds has proven anything over the years they take an idea and run with it!
2. QoE – Quality of Experience. This in my opinion is one of the greatest new features SolarWinds has added in a long time. A trend I have been seeing over the years is the fact network monitoring needs to go beyond the typical Up/Down & Interface utilization model especially with the adapting trend of 10G, 40G, & 100G infrastructure (and there are some multi-GB architecture getting thrown around nowadays to). It’s time to start monitoring closer at the application level and that is what SolarWinds is starting to do.
Now there is definitely some thought that needs to go into the setup of this feature SolarWinds has a few articles discussing it here:
Remember one of the biggest factors of Network monitoring is the perspective in which you are monitoring the network! take into account where you deploy these QoE sensors and how you interpret the statistics!
3. LEM – SolarWinds also did a presentation of their Log & Event Viewer, which I found very useful. I’ve known about this product for a while, however I was not quite sure how it goes up against a typical syslog collection. As it turns out the SolarWinds LEM product is in a league of it’s own touting to be a full SIEM product. One thing that makes LEM a little unique is the fact it is a completely separate & isolated product not tied into any other SolarWinds product.
The Networking Field Day 9 SolarWinds presentations can be found here:
Also, I want to throw it out there. SolarWinds has a Demo Website where you can click around and explore many of their different modules. I highly recommend looking around if there is a modules you are curious about. Found here: Oriondemo.Solarwinds.com