Archive for March 2015
Well, my first draft got lost in the cloud so let’s try this again!
The more you use Wireshark and the more familiar you get with protocols / packet analysis the quicker you realize what you may need to for. Luckily for us, if we know what we are looking for we can configure Wireshark to turn that needle in a haystack into a firework on the middle of Halloween. It does this by giving us the flexibility to control what information Wireshark displays to us and how Wireshark displays that information. The two most useful features we have are profiles and coloring rules, both of these are very powerful features and using both of these features together allows you to take your analyzing skills to the next level.
Profiles – Profiles give us the ability to control what information Wireshark displays to us, and how the information is displayed.
- Affecting the complete layout of the Wireshark display
- What columns are displayed in the Wireshark display
- Which coloring rules are in affect
Now, that we know some of the ways profiles affect Wireshark lets consider a few good use cases for profiles, below are a few profiles I have.
- Wired-VoIP – This profile will call out the DSCP field as specific column to easily keep an eye on QoS marking.
- Remote-Site-VPN – Calls out specific columns for the DF-Bit, IP & TCP length, and more fragment field.
- Wired-Transaction-Time – Contains specific columns for relative time & absolute time, etc.
Those are just a few ways profiles can be leveraged, and remember it is easy enough to flip from one profile to the next. There is no need to even close the current capture or restart Wireshark. This allows to quickly scroll through a single capture looking for key characteristics.
Coloring Rules – These coloring rules define how Wireshark displays the individual packets, it’s these same coloring rules that make re-transmissions show up in red. It’s important to remember that coloring rules are match from top-to-bottom and they will by specific criteria found in the packet. These coloring rules are tied to specific profiles, so you definitely want to keep in mind what profile you are working under.Below are a few of my coloring rules:
- WLAN-RETYU-PACKET – This filter looks to see if the packet is a retransmission of the RF medium. Might be useful if you are troubleshooting a WLAN performance issue.
- FRAG-PACKET – This rule calls out any fragmented packets by keeping an eye out on the ‘More Fragments’ bit. Could be a useful statistics if you working on performance issues in remote IPSec VPN locations.
- Kerberos_MSG – This filter actually picks any kerberos related packets, cause sometimes when Windows says the login failed due a network timeout it might really be due to a kerberos authentication issue. (FYI: Kerberos type 30 messages are errors. So you can be a bit more specific with this filter if desired)
- PC-1500-MTU – This Filter actually matches on two packet fields. First we make sure the packet is a ‘SYN’ packet, and then look to see if the TCP Max Segment Size is at 1460 which ideal for Ethernet networks. Sequentially, there is also a coloring rule for when the PC advertises a MSS that is not 1460. (PCI-NOT-1500-MTU)
Those are just a few examples to show how powerful the coloring rules can be, we can match on any field within the packet regardless of whether it is the Layer 2 MAC address or a piece of data with the application payload. Not mention we can match by multiple fields at the same time, talk about potential! The only thing I want to re-iterate is the matching is top to bottom, so in this example when Wireshark finds a Kerberos message it will hit the first coloring rule and no other even it is a retransmission. That is just something to keep in mind.
You can verify why a coloring rule is in affect by looking at the ‘Frame’ portion of the packet:
From the above, you can see which coloring rule we hit and why we matched this specific coloring. Very useful in the event we ever need to troubleshoot our own coloring rules.
So, now that we spent all this time creating profiles and coloring rules how do we back them up or transfer them to another laptop/desktop? Well, all these configurations can be transferred and backed up by copying only a few folders. If you are running Windows 7, you’ll find this under AppData\Roaming\Wireshark for your specific windows account.
It’s the Profiles folder we really want, once we take a look in there we see our specific profiles. Although you will probably be better off just copying the entire ‘Wireshark’ directory.
I wanted to start off stating Brocade broke one of the biggest barriers with getting involved with SDN and labbing out the technology. Brocade offers a free download of their Vyatta Controller! With this free download you can run a 5x node SDN network for one year, included with 60x days of support! This eliminates a huge obstacle of actually purchasing the software, sure you may still require the hardware but Brocade SDN Solution features support for OpenDaylight/OpenFlow so you do have many different hardware options.
Now, that I got that out of the way my two favorite pieces of the Brocade was 1. The technical overview of the Vyatta controller and it’s architecture, it was great to see how to the services overlay on each other and what makes it tick. Usually when it comes to some type of SDN solution it’s usually presented as some type of application that does magic. In this case however Brocade definitely did their due-diligence to cover how their controller actually functions. The 2nd thing I loved about this presentation was just how frank and up-front the presentation was. My favorite quote of the whole the presentation was “We know how to code, we went to school. We chose not to program we went into networking.” I can’t say how happy I was to hear someone actually say this! However like it was mentioned in the presentation it appears to be a natural evolution of the field.
As the presentation continues, you really get a sense about how far along the Vyatta controller has come along once the conversation steers towards volumetric traffic management. Having the additional and built-in monitoring of the traffic flows with sFlow and OpenFlow addressing a level of application performance management many current-day data centers frankly do not even have in place today just shows how grown up the tool is becoming. This is built upon again with the flexibility to handle elephant flows differently than other typical data flows, if you are not familiar with the term elephant flows these are just traffic flows that transfer a very high amount of traffic (IE: Something like backup traffic). I can’t tell you how many few companies I’ve worked with in the past that have actually taken into account these ‘elephant flows’.
Now, I don’t want to ruin the whole presentation for you, if you have not watched it yet I highly recommend you give it a watch. There also a great slide in there about Ivan! If you think SDN is still a mystery it’s time to get that Vyatta controller downloaded and running! No more excuses!
You can download the Vyatta Controller here.
Brocade’s Networking Field Day #9 videos can be found here: