First we need to get a specific idea of the problem. Before we capture any data.
Define the problem
One app, multiple apps, everything ?
Slow or totally not working ? Any errors ?
When did the issue start ? Patches installed / updates ?
Intermittent or constant happens at peak times ?
Affects one or multiple people ?
Who, what, where, when and hopefully get to the why and resolution.
Capture close to the source of the data
If you can capture at both ends (make sure times are in sync NTP)
Problem with capturing from wireshark on the computer is that we are not seeing the data on the wire. winpcap sits in between the kernel and the NIC driver. So wireshark gets it before the NIC card. Ideally we want to see the data as it is on the wire. We can use a SPAN port for that.
Analyze - > expert info
Broadcasts storms are usually something broken, like a malfunctioning NIC and keeps firing out lots of traffic. Can be caused by no STP running and a loop has been created. Bad configuration like PIM running instead of PIM sparse mode.
Extract specific packets from a larger capture
Can mark packets with ctrl + M
Easier to use a display filter to get all packets we want (ip.addr == 192.168.1.100)
Then to file -> export specified packets
We can select the captured / displayed / marked from the radio buttons
Excessive requests and responses.
filter for arp (destination broadcast ff:ff:ff:ff:ff:ff:ff)
find the offending MAC addresses
map it to location on the network
shutdown the port or unplug the device
DNS
place the capture on the host trying to resolve DNS
Follow UDP steam
capture for tcp/udp port 53
Measure response time
expand DNS
find transaction ID
right click apply as filter selected
expand DNS
Response in: 14 (just double click it)
We will see Time: 0.04
Right click apply as a column (right click edit DNS TIME)
Capture filters
host 192.168.1.100 and host 192.168.2.200
Display filters
Find the syn packets
tcp.flags.syn == 1
Find dns packets
dns
Find dns packets with a string
dns contains "servername"
Find DNS lookups for a specific URL
dns.qry.name == "www.malware-url.com".
Find DNS queries that didn't return an answer
(!(dns.flags.rcode==0))&&(dns.flags.response==1)
Find by string
Edit > Find Packet. Under "Find By:" select "string" and enter your search string
frame contains "string"
http contains "GET"
(http) and (frame contains "CONNECT")
(http contains CONNECT) or (http contains GET)
Filter by IP
ip.addr==192.168.0.10
(ip.addr==192.168.0.10) or (ip.addr==192.168.0.50)
Filter by MAC
eth.addr ==xx
Show arp
arp
arp.duplicate-address-detected
Search the payload for text
frame contains "string"
TCP len column is useful to see if the packet had data.
We need to send acks and get acks for packets we sent
TCP we don't ACK every packet we might ack every other packet.
Checking if a re-transmission is the same packet or not
IP header -> IP ID
Some retransmissions can be normal, lots usually indicate a problem like we sent request but never hear anything back so retransmit. Can indicate packet duplication (network loop) check the ip header -> ID
0.375 = 375 ms
TCP re transmission with double the number and eventually time out
1 3 6
expert info is wireshark trying to help
right click copy as a filter
coloring rules (add it)
You can add rules to your wireshark config to look out for things
Headers
Ethernet (L2)14 bytes
IP4 (L3) 20 bytes
In the hex view each line has 16 bytes
You can count a bye in the hex b4 a8 (that's 2 bytes)
Standard MTU is usually 1500
Jumbo frame is 9000 (usually used for VMware/SAN)
