Within Wireshark, there are numerous tools that help the analyst understand what is happening on the network. In this chapter, we'll first review some of the key elements found in the Statistics menu. So that you are aware of the many choices of built-in reports, we'll cover some general information and ways to assess the data found within a capture. We'll also discover several reports that help assess protocol effectiveness, along with a survey of basic graphs found in the Statistics menu.
We'll then focus on two main ways to visualize traffic, by using input/output (I/O) and Transmission Control Protocol (TCP) stream graphs. We'll explore how to create basic I/O graphs to help visualize network issues such as dropped connections, lost frames, and duplicate acknowledgments (ACKs). We'll then compare the four types of TCP stream graphs and learn how each of the graphs can lend insight into the health of the network.
This chapter will cover the following topics:
Within Wireshark, there are several ways to view data. Some of the data can be viewed in a numeric way, and some can provide a visual, in the form of a graphic. The Statistics menu has several ways to assess the health of your devices and network.
To view all of the choices, drop down the Statistics menu, as shown here:
In this section, we'll highlight some of the key features of the Statistics menu. We'll first take a look at general statistics and then move to ways we can evaluate protocol effectiveness. We'll then summarize by covering the different ways we can graph and visualize issues within a capture.
To follow along with a few examples, we will use bigFlows.pcap. To get a copy of the file, go to http://tcpreplay.appneta.com/wiki/captures.html#bigflows-pcap. Once there, download and open bigFlows.pcap in Wireshark.
Within the Statistics menu, there are several menu choices that provide general information about the capture, protocols, and conversations contained in a file.
Some examples include the following options:
Some of the information can provide a snapshot of the traffic on your network. For example, if we go to bigFlows.pcap and select Statistics | Packet Lengths, Wireshark will generate this report:
In addition to being able to view general statistics on traffic flowing across the network, Wireshark has several ways to assess the behavior of specific protocols.
Wireshark can dissect hundreds of protocols. In addition, the Statistics menu offers a variety of ways to analyze the effectiveness of several protocols.
One way to assess the health of the network is by viewing the Service Response Time of the different protocols interacting on the network. This menu choice offers a submenu of multiple protocols, as shown in the following screenshot:
When using this option, Wireshark will evaluate the time between a request and a response for a particular protocol. For example, to generate statistics on Server Message Block (SMB), return to bigFlows.pcap and select Statistics | Service Response Time | SMB, which will result in the following report:
The Statistics menu has many other options to evaluate protocols, including the following options:
The Statistics menu also has a UDP Multicast Streams report that provides the ability to monitor metrics for multicast User Datagram Protocol (UDP). This is a valuable tool, as multicast streams sometimes create bursty traffic that can interfere with the effectiveness of a device.
In addition, you can also view statistics for IP version 4 (IPv4) and IP version 6 (IPv6), as outlined in Chapter 18, Subsetting, Saving, and Exporting Captures.
One of the more impressive options in Wireshark is the ability to create graphs. Within the Statistics menu, you'll find several opportunities to generate a graph to showcase a data flow.
Using graphs to illustrate your point is powerful, as the visual can cut right to the core of the issue. In addition, using graphs instead of plain data will more easily engage your audience.
One type of graph you can use is a Flow Graph, which shows the data exchanged between hosts. To see an example of what you might see, go to bigFlows.pcap. In the display filter, enter udp.stream eq 22 and run the filter. Once complete, go to Statistics | Flow Graph. Wireshark will then display the graph. In the lower left-hand corner of the graph, select Limit to display filter, which will then display the following output:
Once run, the Flow Graph setting has several options to display the data or export the data in a variety of different formats, such as an image or a Portable Document Format (PDF) file.
Additionally, you can also run other graphs in the Statistics menu, as follows:
Either graph will help to provide a visual of common issues, such as dropped frames, duplicate ACKs, and interruptions in the data flow.
In the next section, we'll evaluate how to create a few basic I/O graphs so that we can visualize specific types of traffic while troubleshooting the network.
An I/O graph provides a way to analyze traffic flowing in both directions and can be created using a live capture or an existing trace file.
To generate graphs on a specific stream, return to bigFlows.pcap. In the display filter, enter tcp.stream eq 198 and run the filter. Once Wireshark presents the information, we'll reduce the file by going to File | Export Specified Packets…, which will bring up this window:
Make sure you have selected All Packets | Displayed, as shown in Figure 19.7. Then, save the file as Flow198.pcap.
Close bigFlows.pcap and then open Flow198.pcap, where we will see evidence of a congested network.
Within Flow198.pcap, you'll see several areas of concern, as the intelligent scroll bar is littered with black lines, which generally indicates signs of latency. By clicking on one of the black striped areas on the scroll bar, we see TCP DUP ACK (duplicate ACKs) and TCP Fast Retransmissions, as shown in the following screenshot:
Next, select the Expert Information icon, found on the lower left-hand side of the interface. Once there, narrow the focus by displaying only the Note section, as shown in the following screenshot:
Within the Note section, we see that Wireshark suspects that the following are contained within the capture:
All are indicative that the traffic is not moving as expected. Next, let's create a simple I/O graph of traffic that contains duplicate ACKs.
While in the Flow198.pcap file, enter tcp.analysis.duplicate_ack in the display filter, and then press Enter. Next, go to Statistics and select I/O Graph. Once run, Wireshark will automatically assume you would like to view a graph of the filtered capture and display the results as shown:
While in the I/O graph, you'll see several areas where you can modify the settings.
Across the top of the screen, you will see the generated graph. In the lower panel, you'll find a list of graphs and column headers that allow you to manipulate the way Wireshark presents the data. Below that, you will find an area where you can further configure the graph, along with providing the ability to add or remove an existing graph.
Let's start by reviewing the column headers as shown in an I/O graph.
For each graph, you can modify and/or view the field values, as described here:
In addition to the field values for each of the graphs, there is a section where you can add or remove graphs, along with completing other tasks.
Underneath the list of graphs, we see several options including the following:
Along with having the ability to modify the settings, there are additional options to explore as well. Options include adding a new graph, changing the appearance of a graph, or zooming in on a specific data point.
Once in a graph, you can manipulate the appearance, add more graphs, and/or move around to better visualize the data. To explore some of these options, return to the duplicate ACKs graph you created for Flow198.pcap, as shown in Figure 19.10, and complete the following actions:
Once the graph is active, you can modify the appearance by changing the style. For example, change the style of the All Packets graph to dots using the drop-down menu, as shown here:
After you are satisfied with the appearance, you can complete the following actions:
As with most options in Wireshark, you can save the graph in a variety of formats, such as an image or PDF file. In addition, once you have created a graph, Wireshark will save the results in your Configuration Profile settings, which can be exported so that you can share the graph with a co-worker.
As evidenced, there are a variety of ways we can view data with an I/O graph. In the next section, let's take a look at how we can create a TCP stream graph.
While an I/O graph provides the ability to visualize traffic flowing in both directions, there are times you want to focus on the traffic flowing in a single direction. That is where the value of TCP stream graphs come into play. The graphs will help provide ways to visualize the different streams in a capture.
To see what's available, go to Statistics | TCP Stream Graphs, as shown here:
Once in the TCP Stream Graphs submenu, you can see there are multiple choices. You can select any of the graphs, which will bring up a single window. Once in the window, you can select any one of the five choices.
Let's start with viewing time sequence graphs.
A time sequence graph will chart sequence numbers over time. When you first launch the graph, you will need to make sure you select the correct direction, as only one direction will be of value.
Within the TCP Stream Graphs submenu, you will see the following two choices:
Although they have a similar function, there are subtle differences. Either one will help you spot delays or interruptions in the data transfer.
When viewing a graph of sequence numbers over time, we should see a steady flow of data. In this section, we'll step through an example of a steady stream of data using a Stevens graph. We'll then use a tcptrace graph, a more complex option that can show selective ACKs (SACKs) within the graph.
So that you understand the difference, let's compare the two types, starting with a Stevens graph.
A Stevens graph allows us to view the sequence numbers over time on a single stream, using a simple format with no additional options.
To see an example, return to the Flow198.pcap file. Go to Statistics | TCP Stream Graphs | Time Sequence (Stevens), which will result in the following output:
Once in the graph, you will see the following elements, which correspond to the numbers indicated in Figure 19.15:
In addition to the Stevens graph, you can also run a tcptrace graph, which is similar, however presents different options when working with the graph.
A tcptrace graph is based on the TCP trace utility, which gathers traffic on a port and outputs the results.
Return to bigFlows.pcap. Once open, enter tcp.stream eq 634 in the display filter. Select Statistics | TCP Stream Graphs | Time / Sequence (tcptrace) from the menu. A graph will appear, as shown in the following screenshot:
Once in the graph, you will note how Wireshark keeps track of the following information:
In addition, along the bottom of the window, you will see a checkbox labeled Select SACKs. Let's step through the process of enabling this option.
During a three-way handshake, the client and server agree on the parameters of the conversation. In most cases, each side will include TCP options to further define the variables used during the data transfer. One of the options is requesting to use Select SACKs during the data exchange. When used, the server will keep sending data, even if it's not in the correct order. The client will notify the sender only if there are missing packets, which helps prevent the need for retransmissions.
To drill down on a group of SACKs, select zooms in the lower left-hand corner of the screen. Once selected, lasso the grouping of packets on the left-hand side of the screen, as shown in the following screenshot:
Alternate between zooms and drags with the mouse until you zero in on the following view:
After zooming in on the graph, you will see several vertical lines below the TCP segment line. This represents the SACKs within the capture.
Note
If you do not get the desired results, you can select Reset, as shown on the lower right-hand side of the screen in Figure 19.18.
Once you have drilled down, place your cursor on one of the lines. When you select a data point, Wireshark will mirror your selection so that you can drill down on a single packet. As shown in the following image, I placed my cursor on a SACK line. Below the graph, you can see the text Click to select packet 16479, as highlighted in the following screenshot:
Seeing a few SACKs is not uncommon; however, an excessive amount could mean trouble on the network. In addition, the receiving host will need to hold numerous segments within memory, which could result in the host bogging down or even crashing.
Along with providing the ability to view the transfer of data over time, another helpful tool is a throughput graph.
Throughput is how much data is sent and received (typically in bits per second, or bps) at any given time. In Wireshark, we can measure throughput as well as goodput, which is useful information that is transmitted.
Using bigFlows.pcap, enter tcp.stream eq 634 in the display filter. Then, select Statistics | TCP Stream Graph | Throughput, which will generate a graph, as shown in the following screenshot:
This single graph tells us a great deal about what is happening in this capture. Once generated, I selected all three options shown along the bottom of the screen in Figure 19.20. Within the screenshot, I have identified several aspects of the graph, as follows:
Another useful TCP stream graph is round-trip time (RTT), which is how long it takes to make a complete round trip from A to B, and then from B to A.
In an ideal world, the RTT will be steady, as outlined in Chapter 17, Determining Network Latency Issues, in the Grasping latency, throughput, and packet loss section. However, that is not always the case.
To view an RTT graph, return to the Flow198.pcap file. Select Statistics | TCP Stream Graph | Round Trip Time, which will generate a graph like the one shown here:
Once in the graph, you can view the data using either RTT by Sequence Number or RTT by Time. In this case, I used RTT by Time, which is the default. Within the graph we see the following elements:
To see the variance in this packet capture, zoom in on the beginning of the graph, as follows:
Once you zoom in, switch to drags and examine the variation in the RTT. In addition, you can also move the graph or zero in on a specific packet.
Next, let's investigate how we can visualize a window scaling graph.
During the exchange of data, each endpoint continuously advertises a window size (WS) value (in bytes) that indicates how much data they can accept. Window scaling is a value that expands the stated WS by providing a multiplier that more accurately reflects the true WS.
Return to bigFlows.pcap and enter tcp.stream eq 634 in the display filter. Select Statistics | TCP Stream Graph | Window Scaling, as shown here:
This graph tells a few things about this capture. I selected both options shown along the bottom of the graph, as outlined here:
After the peak in the Bytes Out line, we see a flattening of both the Rcv Win and Bytes Out line. This generally means that the receiver has not adjusted the WS and is easily able to accept a continuous stream of data.
This graph can be useful if you are experiencing bottlenecks. For example, you can monitor the receive window of a server to help you assess if the value is shrinking, growing, or staying the same over time.
Wireshark has a number of useful tools and graphs that help network administrators visualize what's happening on the network, at any given time, using a variety of methods. In this chapter, we began with an overview of various options in the Statistics menu, such as general information on the packet capture, protocol hierarchy, and the ability to assess the health of numerous protocols.
We then investigated I/O graphs and learned how to utilize different filters and expressions, create differently colored graphs, and view several graphs concurrently. Additionally, we evaluated the power of using a TCP stream graph. By using examples, we first evaluated a time sequence graph and compared the differences between a Stevens and a tcptrace graph. We then summarized by learning the value of determining throughput, assessing RTT, and monitoring window scaling.
In the next chapter, you will discover CloudShark (CS), an online packet analysis tool with which you can view captures in your browser, from anywhere there is internet access. We'll cover the benefits of using CS to share and analyze packet captures with your team. You'll get a good understanding of the filters, graphs, and analysis tools included within CS. In addition, we'll take a look at the many online repositories in order to locate sample captures, to enhance our packet analysis skills.
Now, it's time to check your knowledge. Select the best response to the following questions and then check your answers, which can be found in the Assessment appendix:
18.116.62.168