Free Wireshark Training Course Online

Take a free Wireshark Jumpstart training class online at

Wednesday, March 3, 2010

Wireshark Network Analysis has Left the Building

What shall I do with myself this morning? Hmmm... I already cleaned off my desk of all remnants of the book writing/editing process. I drafted up the book website (that will be home to the trace files and book supplements).Instinctively I launch Wireshark - heading out to get the latest development release at Ooooh... we're now on version 1.3.4 SVN (subversion) 32095.

Wireshark was a moving target while I wrote the book and we're releasing the book with features you won't even see if you don't load the development version or wait until v1.4 comes out.

I've been examining each feature and working on descriptions and scenarios to depict the out-of-order packets (which are sometimes retransmissions), retransmissions vs. fast retransmissions, duplicate ACKs (and what triggers them)

  • HTTPS decryption methods including the long and error prone key entry in the preferences section and the best TCP preference settings to view and filter on the SSL/TLS handshake
  • step-by-step procedures for application analysis methods to determine if an application affected network browsing performance (I analyzed Aptimize Website Accelerator running on Microsoft's Sharepoint website) - graphing methods to illustrate the effect of this tuning product
  • building a table to show WLAN capture options - when do you want promiscuous mode enabled/disabled and what can you "see" without monitor mode capability
  • diagramming networks with NAT/PAT devices, firewalls, layer 2 switches, MPLS configurations and more - all in an effort to explain how these devices affect the traffic
  • maintaining my new feature checklist to ensure I covered the new Packet List pane, fabulous load times, ignore packets feature, Apply as Column feature, etc.
  • keeping a master list of all the hot capture, display and color filters I've built to catch and vividly show the traffic that really explains what's going on
  • inventorying all the book trace files that are referenced in the Practice What You've Learned section of each chapter - that was an undertaking!

It's been a lot of work - puff, puff - but strangely enticing. Each morning I had a list of features I would focus on that day. Each day I was able to marvel at Wireshark's capabilities. Each day I created charts and graphs of amazing network problems.

Oh... gotta go... that new development version of Wireshark is calling!