37 Tips For Using Wireshark ~ Bauer-Power Media

I talked about an alternative to Wireshark yesterday made by Microsoft called Network Monitor. What if you still are on the Wireshark bandwagon though, and you don't want to give up on it? I mean, it is probably the most well known packet sniffer/network analyzer out there right? Well, I've got something for you, or rather Wireshark University does. It's their list of 37 tips and tricks for getting the most out of Wireshark, including steps on how to do them.

I thought I would re-post it here as an aid for you guys, but also as a sort of knowledge base for myself. If there is something I had a hard time fixing, or finding on the internet, I like to post it here on Bauer-Power. I'm sort of self-serving that way I guess. Anyway, here it is:

Tip #36: Download Pre-Made Profiles
At www.wiresharkbook.com you can download a set of pre-made profiles and numerous trace
files. These files accompany the new Wireshark Network Analysis book that is widely
becoming available on Amazon (you can also get it here), The book website also includes a
"Coffee and a Quickie" section with six short videos to walk you through adapter testing,
catching the first set of packets, and now - setting up profiles using predefined elements.
Watch the video for step-by-step instructions on using a pre-made coloring rule set in your own
profiles.

Tip #35: Color Your WLAN Traffic
In the "Introduction to WLAN Analysis" chapter of Wireshark Network Analysis, I introduced one
of my favorite filter sets - for WLAN traffic - fitering based on the frequency of WLAN traffic. For
example, here are six coloring filter examples:
Tip #34: Running Multiple Versions of Wireshark
During last week's online training course, I had two versions of Wireshark running
side-by-side. On the left was the 1.2.6 release version and on the right was the 1.3.3
development version. This allowed me to demonstration numerous features that had changed
and will be coming with version 1.4. To install multiple versions of Wireshark, go through the
standard installation process on the second version, but make sure you just place it in a
different directory. You don't need to reinstall any interface drivers (unless they are out of date).
Tip #33: Change Those Defaults!
When I look at someone's Wireshark configurations, I always recommend they change the
default settings for both the "Filter display max list entries" and "Open Recent max list entries"
in Edit | Preferences | User Interface. Why only see the last 10 items when you can easily view
the last 30 items? I'm always re-opening trace files and accessing previously created display
filters that I didn't save. Make this change today and work more efficiently!
Tip #32: Compare Traffic in a Single Summary Window
You can compare one conversation to another in a single summary. Open a trace with multiple
conversations in it. Filter on one conversation and select Edit | Mark all packets. Clear your filter.
Now filter on another conversation. Now select Statistics | Summary and you should see three
columns - all traffic, the marked traffic (conversation #1) and filtered traffic (conversation #2).
Tip #31: Graph Ugly Traffic - Fast!
One of my favorite filters is tcp.analysis.flags. All those ugly TCP problems (retransmissions,
duplicate ACKs, lost packets, etc.) jump out at you. Did you know you could plot these
instances in an IO graph? It's simple - just start a capture and open Statistics | IO Graphs and
enter tcp.analysis.flags in the filter area for the red graph. I recommend you try the Fbar format
for this item. You'll end up with a nice graph showing when TCP issues rise and fall on the
network.
Tip #30: Set up GeoIP to Map IP Addresses
Before you can take advantage of this feature, you need to ensure your version of Wireshark
supports GeoIP (Help > About Wireshark - do you see "with GeoIP?"). The GeoIP database
files are free from MaxMind (www.maxmind.com/app/ip-location - grab the Free/Open Source
files. Point to the MaxMind files in Preferences > Name Resolution > GeoIP database
directories. Want to watch a video of the setup and use of GeoIP? Check this out!
Tip #29: Keeping up with Wireshark
At 5:34pm PST, the Tweet screamed" Wireshark 1.2.4 is out. Enjoy" Another update so fast?
Yup. Two ugly bugs are fixed in this rev - 4120: Can't save RTP streams in both directions and
4155: Wireshark could crash on startup on Windows. How do you keep up with releases?
Follow geraldcombs on twitter or subscribe to the Wireshark Announcements list at
www.wireshark.org/lists/.
Tip #28: Gerald's Launch Tips
The Wireshark website was revised recently - you can catch Gerald Comb's video on Custom
Wireshark Shortcuts here. Also note that typing wireshark -h at the command line lists other
available options for quick launch.
Tip #27: File Sets and Editcap - Yeah Baby!
Creating and using file sets allows you to capture large amounts of traffic and maneuver
quickly from one portion to another (set this up in the Capture Options). In previous versions of
Wireshark you could use editcap to split a large trace into multiple smaller trace files using th
e-c parameter, but the new files were not part of a file set - they had to be opened and treated
as separate files. Now using editcap v1.2.3, you can split a file and make it into multiple files
that can be handled opened as a file set (File > File Set) - VERY NICE!
Tip #26: Wireshark on Windows 7
On October 26th, Wireshark v1.2.3 released. Although this version addressed numerous bug
fixes, the big change is the support for Windows 7 with the updated WinPcap version 4.1.1
which released separately at www.winpcap.org on October 20th (the previous version of
WinPcap - version 4.1 came out on October 19th but had some installer bugs that were fixed in
the next-day release version 4.1.1). This version of Wireshark+WinPcap also supports Vista,
Server 2008, and Server 2008 R2. Get the latest version at www.wireshark.org/download.
Tip #25: WLAN Decryption Modes
When decrypting WLAN traffic using an AirPcap adapter with Wireshark, define the Decryption
Mode as Wireshark, not Driver. In Driver Mode you can only decrypt WEP traffic (with the
decryption keys defined). In Wireshark Mode you can decrypt WEP, WPA-PWD and WPA-PSK. In
WPA-PWD mode uses the password and the SSID to create a raw pre-sharked key
(WPA-PSK). In WPA-PSK mode, they key is parsed as a raw pre-shared key - you can create
your own raw key using Wireshark's WPA PSK Generator at www.wireshark.org/tools/wpa-psk.
Tip #24: Removing Duplicate Packets
Use editcap to remove duplicate packets in a trace file. There are three parameters for
duplicate removal. For example, if your trace file is called dupes.pcap, run the command
editcap -d dupes.pcap nodupes.pcap. The -d parameter uses a duplicate window size of 5
which means editcap compares the MD5 checksum of each packet to the 4 packets preceding
it. You can increase the window size using -D # where # indicates the number of preceding
packets to check against each packet. You can also use the -w parameter to specify a widow in
time (seconds).
Tip #23: Link Aggregation
Got a server with two NICS and need to tap in to capture traffic on both interfaces? In this case
you might be interested in a link aggregator. A link aggregator allows you to connect multiple
links into the tap - this is a different technology than "aggregating tap" technology. Aggregating
tap technology combines full-duplex traffic into a single outbound stream so you can listen in
with one device.
Tip #22: Finding RTP
If you are analyzing VoIP communications and you pick up only RTP (Realtime Transport
Protocol) traffic, but not the SIP traffic that set up the call, Wireshark may just dump you at UDP
and not apply the RTP dissector to the traffic. No worries. Just right click on one of those UDP
packets and select Decode As. Under the Transport tab you will see the ports in use by the
RTP communications. To the right, scroll down to select RTP and click OK.
See www.chappellseminars.com this week for more information on VoIP analysis and the
Summit 09 event. UPDATE BY BILL DEWEESE: Another option is to enable the RTP preference
"Try to decode RTP outside of conversations!"
Tip #21: Use Wireshark Expressions
If you want to build a filter, but you don't know the field name and have no packet to use as an
example, click on the Expression button (to the right of the Display Filter area). In the
Expression window you can expand protocols and applications to build filters using relations
such as "is present", ==, !=, "contains" or "matches."
Tip #20: WLAN Retry Packets
When a WLAN ACK is not received, a retry will be triggered. Why would an ACK not be
received? Low signal strength, interference, noise... those might be some of the reasons. To
create a filter for all retry WLAN frames, expand the flags field under the Frame/Control section
of the 802.11 header. Right click on the Retry bit and select Apply a Filter > Selected. Ensure
your filter is looking for a bit setting of 1 (indicating the frame is a retry). The filter should be
wlan.fc.retry == 1.
Tip #19: Sorting Filters
At Open Source World I needled Gerald about this ability. You can't just click on the filters to sort
them. Sigh. So here's the trick I use. I open the filter file in a text editor, copy the text to Word and
then sort the list. You can locate your filter files by selecting Help > About > Folders - look for the
Personal Configuration information. To make things line up nicely, add spaces in front of your
display filter names - for example " TCP RST Packets" (notice the leading spaces within the
quotes - I don't add the leading spaces for titles when I group filters). If you ordered the
Wireshark Jumpstart Plus Bonus course, you received my pre-formatted, sorted filters.
Tip #18: Exporting IO Data for External Graphing
Recently, someone posed a question on Twitter: "How can we export the Wireshark bits per
second information so we can manipulate it in Excel or another spreadsheet program?" Easy!
Select Statistics > IO Graphs. Change the Y Axis to Bits/Tick and click the Copy button.
Wireshark copies the header as "interval start, graph 1" and the X, Y coordinates of the plot
points to buffer in a comma-separated value format. Save the data in a CSV file to open in
another program. If you want to compare one user's traffic to all the traffic seen, apply an
ip.addr==x.x.x.x filter for Graph 2. Select the Graph 1 and Graph 2 columns from your CSV file to
plot the data. Now you can build your own graphic images of the traffic, add trend lines and use
standard plotting functions to the data.
Tip #17: Subnet Filters
Wireshark understands CIDR (classless interdomain routing) address definitions. If you want
to create a display filter for all devices who's network address starts with 10.3, use the syntax
ip.addr==10.3.0.0/16. The "16" indicates how many of the leading bits should be matched in
the address. Use CIDR definitions when filtering on a subnet.
Tip #16: DHCP Filters
At the current time, the display filter syntax, dhcp, does not work. In order to filter on DHCP traffic
you need to use the syntax bootp. DHCP is derived from BOOTP and contains a BOOTP
header. This fouls up many Wireshark users who are new to creating display filters. Watch out.
Likewise, you cannot use "dhcp" as a capture filter - you need to create a capture filter for port
67 or port 68. In the recorded version of the Wireshark Jumpstart class, I added a Bonus
section that includes my favorite capture/display/color filters. One of my capture filters is a
passive discovery filter that looks for arp or port 67 or port 68.
Tip #15: Filtering for Illegal Ping Packets
Many network discovery tools and OS fingerprinting tools (such as Nmap, NetScanTools and
Xprobe) send out illegally-formed ping (ICMP Echo Request packets) that can be used to ID the
application in use. The display filter would be icmp.type==8 && !icmp.code==0 to find these
strange packets. This is covered in the Bonus materials added at the end of the recorded
Wireshark Jumpstart course that will be announced today at chappellseminars.com.
Tip #14: Merging Trace Files
So you've capture two (or more) trace files on different interfaces or from different hosts running
Wireshark. To merge these trace files together you can use the command line tool Mergecap
(in the Wireshark program directory) or select File > Merge in Wireshark. By default files will be
merged according to their timestamps. Use the -a parameter to merge according to the order
you list the files.
Tip #13: Sign of a Bot-Infected Host
When a host is bot-infected and planning on connecting via IRC to the C&C (Command and
Control) server, you might see a DNS query for that C&C server's name. Check out
sick-client.pcap - look at the DNS reply for bbjj.househot.com - notice the CNAME (canonical
name, or alias) entry in the DNS response field... and look at how many IP addresses are
associated with that name. Not the typical DNS response you'd expect and sign that the host
being located may be a malicious one... watch for this. Video: "Analyzing a Bot-Infected Host"
Tip #12: Wireshark's Status Bar
The Wireshark status bar is located below the main Wireshark working area. In Wireshark v1.2
we now have an Expert Info Composite button on the far left side - the color changes to indicate
the Expert level that has been detected (grey=no Expert Info; Red=Errors; Yellow=Warnings;
Light Blue=Notes).While capturing, the left side of the status bar indicates which adapter
Wireshark is capturing from, the file location and file name of the current capture, size of the file
and, after you stop the capture, the time elapsed. In the center of the status bar, Wireshark
displays the number of packets captured, displayed (useful if you have applied a display filter),
marked and packets dropped (a clear sign that Wireshark is not keeping up with traffic rates).
The right side of the status bar indicates the profile in use. You can adjust the size of the three
areas of the status bar for better viewing by clicking and dragging the column separator. Many
people leave the profile information at minimum size so they can see the entire directory/file
name of their capturing/captured trace.
Tip #11: "Fast Retransmissions"
What is the difference between a retransmission and a fast retransmission? If you've worked
with the Expert Info Composite window, you have likely seen both at times. Right now, fast
retransmissions are placed under the Warnings tab. Retransmissions are placed under the
Notes tab. Both are true retransmissions, but if the retransmission arrives within 20 ms of a
duplicate ACK it is defined as a "fast retransmission". Not all retransmissions are triggered by
duplicate ACKs however. Sometimes you'll see retransmissions that are triggered by a timeout
on the sender's side as it waits for an ACK for data sent. We treat both retransmissions and
fast retransmissions as a sign of packet loss.
Tip #10: New Time Column
In Tip 9 you learned how to change the time column to see large gaps between packets. But
what if you want to see both the default time setting and the delta time setting? Make sure the
current time column is set to View > Time Display Format > Seconds Since Beginning of
Capture. Next, in Wireshark v1.2, select Edit > Preferences > Columns > Add. Click on New
Column and give your column the name "Delta". (Click on the word "number" to the right or the
name will not stay - a bug). In the Properties area, click the arrow at the right of the Format field.
Select "Delta" and click OK. You might want to move this time column up next to the other time
column (in v1.2, just cick and drag the column up). Now you always have both the Relative and
Delta time columns available.
Tip #9: Best Time Setting for Troubleshooting
When users complain about poor network performance, capture their traffic (from as close to
their systems as possible so you get round trip time values from their perspective). Set the
Time column value to show you from the end of one packet to the end of the next packet by
selecting View > Time Display Format > Seconds Since Previously Displayed Packet. Now you
can sort this column to see where there are large gaps in time in the trace file. Watch a demo
(MP4-4MB)

Tip #8: Tshark Interface Selection
Tshark is the command-line capture tool that comes with Wireshark (look in the Wireshark
program directory and consider adding this directory to your path so you can run Tshark from
your trace file directory). Type tshark -D (must be a capital "D") to view the interface list. If you
want to capture traffic on the third interface listed, you would use tshark -i 3 (the "i"
parameter indicates the interface number you want to capture on). Watch a demo (MP4-5MB) .
POWER USER Tip #7: Terabyte Tshark Captures
Special thanks to John Bullock for this hot tip!
"Run tshark as a service with something like this in the registry - c:\program
files\wireshark\tshark.exe -i 3 -b filesize:100000 -b files:8800 -n
-w d:\pktcap\wan.cap. With terabyte drives so cheap, I decided to put a machine on the
uplink for each of our networks that keeps a rolling capture of the last 800G or so of traffic. So,
now when a security system barks at me, I can go find the packets and investigate."

Tip #6: Packet Loss Location
Wondering if the original TCP packet and the retransmission are both sitting in that slop of a
trace file? In the details pane of the TCP retransmission packet, expand the TCP header and
right click on the TCP Sequence Number field. Select Apply as Filter > Selected. The filter syntax
is tcp.seq == [number]. If you see both the original packet AND the retransmission, you are
upstream (closer to the sender) from the point of packet loss. If you only see the
retransmission, the original packet was already lost. The point of packet loss is downstream
(closer to the receiver) than where you are located.
Tip #5: Signatures
Always look at the payload of ICMP Echo Request (ping) packets to see if there is a signature
for the application running sending the ICMP Echo Request. In pingsigs.pcap we see the
alphabet-only-up-to-w signature used by MS Windows hosts and, in packet 9, we see the
Sniffer ping tool signature - which is a nod to it's creator, Cinco.
Tip #4: Accelerator Key
Use Ctrl+down arrow when you have selected a packet in the detail pane and want to scroll
through several packets while keeping the focus in the detail pane.
Tip #3: File Sets
In the Capture Options window, save to multiple files. Just open one of the files and now use
File > File Set > List Files to quickly move between them.
Tip #2: Splitting Trace Files
To split a large trace file into multiple files, use editcap -c [number of packets per
file] <infile> <outfile>. For example, editcap -c 10000 fattrace.pcap
smaller.pcap will split fattrace.pcap into trace files containing 10,000 packets (or fewer on the
last trace of the set) with names starting with smaller.pcap. The file number is appended as
-00000, -00001, -00002, etc. after the .pcap extension.
Tip #1: Capture Filter
Create a "Not Me" capture filter to ensure your own traffic isn't captured when analyzing other
device's traffic. Use the syntax not ether host 00:21:97:40:74:d2 (with your MAC
address, of course). Also consider making a "Just Me" capture filter to view only your traffic
when analyzing an application on your own system.
Tip #0: Free Wireshark Live Online Seminars
You like tips? Check online at www.chappellseminars.com to register for the free Wireshark
live online seminar.