Free Wireshark Training Course Online

Take a free Wireshark Jumpstart training class online at

Friday, July 24, 2009

One Key Sign of QoS Problems

There are some trace files that SCREAM at you! If you stand too closely you can feel spit hitting your face!

In the "Top 10 Reasons Your Network is Slow" online course (course abstract), we examine one of the causes of slow network performance. We look at a trace file of traffic that has passed through a router set up with QoS. You may not be aware how obvious QoS issues can be when analyzing traffic - feed a nice steady stream through that puppy and catch the traffic on the other side to see how it performed its duties.

Look for an EKG Pattern
In a datastream that is 'steady' - as in the video streaming example shown in the picture, we look for an "EKG pattern" in data coming through the router. This pattern is seen when data is held in the queue temporarily and then released (causing the sudden jump in the IO). As you can see in the image above, we can also spot packets that are droped by the queue. (Make sure you take a trace on the other side of the router to compare the IO graphs - you want to be certain a steady stream of data is traveling towards the QoS device and any alteration in the IO pattern has not already occurred.)

Get the Trace File
Go ahead - try checking it out yourself. Open up mcaststream-queued2.pcap in Wireshark. Select Statistics > IO Graph.

What? It's not screaming at you? Aha! That is because the X axis is too large - you are looking at ants from space! Change the X axis value to 0.01 seconds.

Do you see it? Right around 1.10 seconds into the trace - the EKG pattern! If users are not complaining about performance then dont' sweat it. Keep an eye on times when the line drops and doesn't jump up above the average point - those are dropped packets.

I'll be teaching the "Top 10 Reasons Your Network is Slow" on July 30th - it's a fun class to teach (although last time I was demonstrating the process of jamming a wireless network and nearly killed my own seminar hosting connection - duh). Register here.

Enjoy the trace! See you online!


Saturday, July 18, 2009

Brad and the Top-Secret Bl-Ear Project

Brad Pitt on the cover of wired poo-pooing the bluetooth look? No way! They aren't going pre-announce an invention that I already pre-announced at TechEd?! I quickly blew through the pages of Wired Magazine's August issue to find a picture of Brad texting at the urinals with a bourbon close by (page 89).

Whew! No mention of the Bl-Ear - the exciting beta-phase invention in bluetooth beauty and buffness. It's tough to stay ahead of the game (and game mags) in technology. Sometimes you have to be... well... inventive.

Let's face it - there are tons of products we'd love to see out there - the Bl-Ear fills a need to reduce the high Nerdlook-Factor (NF) of walking around with that bluetooth device hanging off your head - don't even start spewing the "jawbone is sexy" defense with me. No one (not even Brad) looks good with electronics hanging off their aural lobes.

Bluetooth devices are the new pocket-protectors, folks. And you need to admit it.

As you may have missed the TechEd presentation in May, I've put up a short video showing the Bl-ear over at the Chappell Seminars Projects page.

Before you go out the door today, look in the mirror. Laptop - check. iPhone - check. Starbucks card - check. Bluetooth adapter - check. Now remember - accessorize, then minimize - take off the ear-tech that screams "I hope someone wants to talk to me today".

Sign up for the Bl-Ear and watch your NF drop to near-normal levels. Oh... and just wait 'til you see their upcoming Ear-Bluds! I can hardly wait.


The Bl-ear and Blear Corporation are bunk. All rights reserved.

Sunday, July 12, 2009

Parents, 'Puters and Painkillers

"Hi hon! How are you? How are the kids? I can't print"...

Being a technologist these days is like being the family doctor in the olden days (ok, well, family doctors are still of value but mostly for prescription drugs for fun I think.)

You know what it's like - your second cousin once removed calls - you haven't seen her since that embarrassing Thanksgiving when they pulled you into singing "Muscrat Love" with them while your inebriated Aunt tried to play the piano ("I haven't played since I was a child" - no kidding?!). [That's another story.]. "Hey... are you still into computers?"
Uh... no. I'm now working at a humane beef ranch as an ozone protection analyst. Sorry.

In this case, my father was calling for help with printing.
Guiding him to view the print queue won't work - the print queue icon seems invisible to him and the Start button is out of the question ("The start button... you mean the power button? Ok. I clicked it, but my computer screen is blank now."). First things first. Do you see a light on in the front of the printer ("Yes, honey. My desk lamp is always on.")? It would be a long, slow and painful process (looking for the real family doctor for those fun meds now) to guide my father to eventually unplug and replug in the printer USB cable on his laptop ("no, Dad... the printer cable doesn't plug into the wall socket...get out from under the table before you hurt yourself.").

The printer sprung to life and began printing the 32 copies of the 70-page document he'd sent to it before calling me. Rather than try to guide him through the process of clearing the print queue I just told him that there wasn't anything he could do about it. "Just get out the recycling bin, Dad." (Making notes to give Dad reams of paper next birthday and go out to plant something green while acknowledging the guilt of prioritizing my sanity over the environment).

You must have a certain level of compassion and empathy to work in the field of technical support. I really don't know how people take calls from someone like my father every day and still maintain a life of sobriety and love towards mankind. I think the key must be...
Hang on... gotta cut this blog short... my Dad's calling... ("Honey... I've just downloaded Wireshark and I have a couple questions...") Gulp.

Family... can't live with 'em... can't DoS 'em (legally)

Sunday, July 5, 2009

Did That Tech Just Tell Me to Go Ping Myself?

"Ping and let's look for packet loss."
"Let's reinstall the operating system."
"Oh my gawd - didn't you know ping is illegal?"
"Ping takes away the addresses of others on the network."
"Not all laptops support networking, so that might be the problem."
"Did you plug in the wireless cable yet?"

Oh yes... I keep track of the amazing comments I've heard from hotel network technicians and most recently Comcast. Many of you know the story of "Bob, the Comcast technician from hell" who ended up being a trainer for the other network technicans. I can only hope Bob is now flipping burgers somewhere.

When one of my network connections began feeling last week I pulled out my tools and began to work on identifying where the problem was. I grabbed my traffic with Wireshark and noted the high rate of packet loss. Since I know that packet loss most often occurs at an inter-network device, I began running the graphical ping in NetScanTools. I could see the rate of packet loss was around 40%. Next I began a series of traceroute operations to see where I was losing packets - and BOOM! There it was. One of the routers consistently dropped packets along the path. I even went through that target to other hosts.

All I needed to do was let the Comcast technician know which router was the problem... right?

When the Comcast technician asked me to "ping", I tried not to gag. How could this 'technician' not know the basics of TCP/IP? She pronounced traceroute as "trace-ert" with absolutely no awareness that her ignorance was spilling out over the phone.

What I experienced here is the result of skipping basic training - it's really not her fault. I blame Comcast. And guess what...? Right now we are seeing companies restrict training budgets for the folks running their networks. We're going to pay a big price in the future with unskilled and out-of-date IT professionals.

Is your company restricting training? What are you doing to keep up? Does your management know the end result of de-valuing training? Where will we be in a few months... years?

I hope the free Wireshark training courses are helping out. We are focusing on getting sponsors to open up more free online training. Let your favorite vendors know they can do something great for the industry by sponsoring a free training course.

Now off to finish the Wireshark 101 handouts for class on Tuesday! Gerald (the creator of Wireshark) will be online again to answer your questions. I hope to see you there! Register at today.


Saturday, July 4, 2009

July 7th - Wireshark Jumpstart Free (Sponsored by NetOptics)

The July 7th Wireshark 101 Jumpstart is sponsored by NetOptics. I approached NetOptics because my lab is filled with NetOptics taps... the Teeny Tap, my 10/100 aggregating tap, my 10/100/1000 regenerating tap and more.

In this Wireshark 101 Jumpstart, I'll be demonstrating the following features of Wireshark:
  • Tapping into traffic
  • Choosing the interface
  • Capture filtering
  • Display filtering
  • Capturing to file sets
  • Capturing with a ring buffer
  • Altering the time column
  • Display filtering
  • Using the Expert Info Composite
  • Defining profiles
  • Reassembling streams
We already have over 1,000 registrations and only 1,000 people will be allowed to access the live online seminar. We'll open up the 'waiting room' online approximately 20 minutes before the session to allow you to get a place in the course.

See you on Tuesday, July 7th.