Wireshark User Guide

User Guide
Use of Wireshark for IP trace monitoring
Quoc-Thinh Nguyen-Vuong (TIS)

September 2009
Contents
1. General Overview
2. Wireshark setting user guide
3. Display filter & analysis trace Few tips
4. Backup
Alcatel-Lucent Internal
Proprietary Use pursuant to Company instruction. XXXXX
General Overview
Wireshark: Pros vs. Cons

Pros:
Wireshark software is free download & capable of being run in any laptop
Easy to send the traces to anyone without having to convert the file format
Provides a simple but powerful display filter language
Cons
Not able to handle a large amount of sniffing traffic, so its not appropriate to
use it in live network
Wireshark can drop the captured packets (check on the bottom if the dropped
=0)
Some protocol stacks cannot be decoded by Wireshark (like Frame Protocol
over Iub)
Installation overview : 2 options

Mirroring option
Iu-PS
SGSN
mirroring
Lp/14, Eth/x Iux over IP
RNC
Iux over IP
Ethernet
Fiber
Iub (IP link)
Router
Lp/15, Eth/x
PC
RJ45 (ETH cable)

Mirroring port
ETH card
Splitter option
Lp/14, Eth/x Iux over IP
RNC
Lp/15, Eth/x
Router
Ethernet
Iub (IP link)
Fiber
RJ45 (ETH cable)
PC
Optical Ethernet
Converter
ETH card
Check list
Wireshark software: Version 1.2.2 from http://www.wireshark.org
http://wireshark.osmirror.nl/download/win32/wireshark-win32-1.2.2.exe
Check list for mirroring option (more preferable)
The dedicated mirroring port configured on an access router (note however
that some routers do not support the mirroring)
If the mirroring port is Gigabit Optical, a Copper Ethernet SFP is required
An Ethernet RJ-45 cable
Laptop with Wireshark running
Check list for splitter option
Optical splitters
10/100/1000Base-T to 1000Base-SX/LX converter
Ethernet RJ-45 cable
Laptop with Wireshark running
Wireshark setting guide

(whatever the Iux interface)
Wireshark PC setting
No specific setting is required on the PC
Wireshark
Internet protocol property -> automatic IP@
configuration
Do not need to have an IP@ for the NIC
Limited connectivity is good
No tracing if there is a mismatch between the

speed on the PC & mirroring interface
(Fast/Gigabit Eth)
Device manager > Network adapter> Advanced >
Link Speed & Duplex
Auto Detect is recommended (default setting)
100Mbps/1Gbps & Full duplex is desirable (if the
auto detect does not work); the selected speed
depends on the speed on the mirroring interface
If the mirroring interface only supports Gigabit and the
PC only supports 100Mbps, the traces cannot be
captured. In this case, the mirroring port must be forced
at 100Mbps or find a new PC that has a powerful Gigabit
NIC
Wireshark: Quick overview

Launch the Wireshark application
Icon start a new live capture

Icon stop the running live capture
Identity the capture interface (in our case, it is a Gigabit network connection)
Capture > Interfaces
This is the
one we used
to connect
with the RJ45
Wireshark Settings
Capture > Options
Select the right capture
interface (NIC card)
Specify only in case you

know exactly what you
want to capture,
otherwise leave it blank
Check them if you want
to see the traces
displayed in real-time
Click start to capture the

traces
Trace capture
This is the DISPLAY filter, for example,
tcp.analysis.retransmission to display only the
TCP retransmission messages.
captured
messages
(time,
address,
protocol, info)
Protocol
stack of the
selected
message
Display filter & analysis trace

Few tips
Well-known issues while starting capturing (the first time of use)

Try Wireshark with your Internet connection before going on site
Capture the trace going through your NIC
If you cannot see any packets

Try to check/uncheck the box capture packets in promiscuous mode in capture
options window
If you capture packets in

one direction (uplink or
downlink)
Check the duplex mode of your
PC as well as of the mirroring
session
Common display filters

udp / tcp / sctp / icmp / ranap / sccp / gtp => to display only the desired protocol
sctp && ip.src==10.2.4.9=> display sctp sent from the source having IP@= 10.2.4.9
sctp || tcp => display sctp or tcp message (both tcp & sctp will be displayed)
tcp.analysis.retransmission =>
display the TCP retransmission
message
tcp.analysis.lost_segment =>
display the message in which the
Wireshark suspects that the
previous message in this TCP flow is
lost
vlan.id == 123 => display the
message having VLAN ID= 123
More about the filter expression,
go to Expression
Quick Analysis
Statistics > Flow graphs
Analyze > Expert Infos
Statistics > TCP stream graph

Backup
Mirroring configuration
On Alcatel Omniswitch OS6850
-> port mirroring 1 destination 1/20 unblocked 5
enable
-> port mirroring 1 source 1/21 bidirectional enable
Mirror bidirectional traffic on port

1/21 & 1/22 to a mirroring port 1/20
-> port mirroring 1 source 1/22 bidirectional enable
On Cisco Router/Switch
-> monitor session 1 source interface Fa0/2
-> monitor session 1 destination interface Fa0/20

Fa0/2 to a mirroring port Fa0/20
Telco systems switch

>monitor session tx source interface 1/1/2,1/1/23
>monitor session tx destination interface 1/1/1
>monitor session rx source interface 1/1/2,1/1/23

1/1/2 & 1/1/23 to a mirroring port
1/1/1
>monitor session rx destination interface 1/1/1

Wireshark User Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Wireshark User Guide

Uploaded by

Copyright:

Available Formats

User Guide

Use of Wireshark for IP trace monitoring

Quoc-Thinh Nguyen-Vuong (TIS)

Wireshark: Pros vs. Cons

Installation overview : 2 options

Iub (IP link)

RJ45 (ETH cable)

Iub (IP link)

RJ45 (ETH cable)

Wireshark setting guide

No tracing if there is a mismatch between the

Wireshark: Quick overview

Icon start a new live capture

Specify only in case you

Click start to capture the

Display filter & analysis trace

Well-known issues while starting capturing (the first time of use)

If you cannot see any packets

If you capture packets in

Common display filters

Analyze > Expert Infos

Statistics > TCP stream graph

Mirror bidirectional traffic on port

-> port mirroring 1 source 1/22 bidirectional enable

Mirror bidirectional traffic on port

Telco systems switch

Mirror bidirectional traffic on port

>monitor session rx destination interface 1/1/1

You might also like