Discovering ways to subset traffic

Packet analysis is used for a variety of reasons, including troubleshooting, testing, monitoring, and baselining the network. We can reduce the capture before we begin our analysis by using a command-line tool such as TShark or Dumpcap, as covered in Chapter 2, Using Wireshark NG, or by using a capture filter, which is covered in Chapter 7, Using Display and Capture Filters. Once captured, the file can be shared with other members of the team for further analysis or to point out specific issues.

While capturing traffic, it's optimal to get a capture that is the perfect size and includes only the troublesome packets. However, that is not always the case. It might not be your intention to get a large packet capture. Nevertheless, you may find you have to work with one, for a variety of reasons that include the following:

  • You may have obtained the capture from a network device with a large amount of traffic. Tapping into the network, even for a short time, can generate a huge number of packets. Even if you used a capture filter while obtaining the file, you may still end up with a large amount of data.
  • You may have received a file from someone with good intentions, who felt a large capture would help your analysis. For example, you may have received a large file from a co-worker that captured traffic off of the server, and they need your help in analyzing a specific problem.

Whatever method you've used to obtain the capture, you'll need to work with it in Wireshark. Keep in mind, Wireshark can load a large file, but it can be very resource-intensive and slow in responding, as Wireshark attempts to dissect all the protocols before displaying the capture. In addition, when you apply a display filter to a large capture, it will take a while to filter the traffic. As a result, the best option is to subset the capture and focus on the problem areas.

When we subset traffic, we break it down into smaller files for analysis. We can see that there are many ways to break down or subset traffic. Some of the ways include subsetting by IP address, by port number, by protocol, or even by TCP/UDP stream.

Together, we can examine ways of breaking apart a large file. One such capture that works exceptionally well is bigFlows.cap. You can download the file, open it in Wireshark, and follow along by going to http://tcpreplay.appneta.com/wiki/captures.html#bigflows-pcap.

Once you open bigFlows.cap, you can easily see how cumbersome it is to work with a large file. As shown in the following screenshot, this capture has 791,615 packets. Even when entering a simple display filter such as TCP, it will take time for Wireshark to rescan the capture and present the data. As shown in the lower left-hand corner of the following screenshot, Wireshark has a status bar that indicates the process:

Rescanning the capture

Depending on the system used to analyze the capture, it may run very slowly, freeze up, or even shut down Wireshark.

Once you have opened the file, you'll need to plan what data you want to subset. There are many ways to subset data, and it really depends on what you want to analyze. Let's look at a few ways to break down a large capture. First, we'll examine using an IP address to subset traffic.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.222.155.58