How to track network problems with Wireshark
Find bad software, hardware and users before its too late
By Michael Scalisi | PC World | Published: 11:35, 14 January 2010
Ethernet networks can run remarkably well for long periods of time, lulling IT admins into a false sense of security. Unfortunately, disaster can strike at anytime, and to the under-equipped, network issues can be downright debilitating.
Some of the most serious network problems can include broadcast storms, in which a defective or misconfigured network device floods the network with traffic. Broadcast storms tend to amplify themselves until they completely shut down your network, which is bad. Another common threat is a malware infected computer, which can send a barrage of email or attempt to replicate to computers on your LAN or across the internet. An infected computer can slow down internet traffic and put you on bad terms with your ISP.
And sometimes a single user can use so much bandwidth that it affects other users on the network. Perhaps they’re using peer to peer file sharing software, consuming excessive streaming audio or video, or just downloading lots of large files.
Fully understanding everything that's happening on your Ethernet network is truly a herculean task, but with a couple basic tools and some common sense, it’s possible for a jack of all trades IT person to track down these basic problems.
One network tool that every IT person should know about is Wireshark (previously Ethereal). Wireshark is a freeware network packet analyser that captures network packets and displays detailed packet data. It’s a very cool tool, and it will give you a new found respect for just how much and how varied the data that traverses your cat 5e cable is.
When first launching Wireshark, it’s easy to become intimidated. It’s extremely powerful and offers a myriad of options. However, there are only a few basics that you need to know before you begin.
First, you need to know what traffic you’re actually monitoring. Back in the day when hubs were common, all traffic was transmitted to all ports. As you can imagine, that didn’t scale very well. Switches are a refinement of hubs in that they discover the hardware addresses associated with each port and only transmit relevant traffic between ports. This means if you just plug your computer running into Wireshark into any available switch port, you’ll only be able to see traffic to and from your computer and broadcast/multicast traffic; Interesting, but not always useful.
In order to examine traffic on an Ethernet port other than the one your computer is plugged into, you need to mirror your ports. Port mirroring is a feature on managed switches that allows traffic from one or more ports to be mirrored onto an alternate port for the purpose of monitoring. Depending on the situation, you may want to mirror all ports on a switch or just one relevant one (like the port your Internet connection is plugged into). You’ll need to consult the documentation for your particular switch, but on my 24-port Netgear switch, I was able to mirror the necessary ports using a simple browser interface.
After installing and launching Wireshark, you’ll want to capture some network traffic. Click on Capture, and then Options. Select the correct interface, and click on Start. Once you have an idea of what kind of traffic you’re looking for, you can use the filters feature to capture specific packet types or omit specific traffic types. On the Options menu, you can also specify the amount of time or amount of data you want Wireshark to capture before stopping. This is useful since if Wireshark is run for an extended period of time, the file sizes can become unmanageably large. Click Start, and you’ll see traffic flowing in real time. If you haven’t configured an automatic stop, stop Wireshark when you’ve captured as much data as you want.
The challenge now is figuring out what to do with all this data. If you’re looking for something that’s bringing your network to a halt, the key task here is to pinpoint the source of traffic. One way to do this is to go to statistics and then conversations. Click the IPv4 tab, and from here you can sort by a number of things including Bytes. You can use this figure to pinpoint a computer that’s generating an inordinate amount of traffic. If you’re looking for a particular type of traffic, you can click on Analyse, then Enabled protocols, and check only the specific protocols you’re trying to locate.
There’s really a ton you can do with Wireshark. It’s an incredibly flexible and useful tool that can help you locate problems in your network, and also educate you about the kinds of traffic you've got traversing your wires. It can be a handful at first, but it’s a tool that’s worth learning and having at your beck and call.