Free Wireshark Training Course Online

Take a free Wireshark Jumpstart training class online at

Wednesday, September 29, 2010

Blogging through Muscle "Sapams"

After 5 days of working up every excuse possible to avoid the dreaded doctor, I finally caved in when I dropped an AirPcap adapter and couldn't pick it up - yup - I'd ripped up my back somehow. The pain was incredible - just imagine - no monitor mode capability, no 802.11 headers, no multi-channel aggregation... it was a nightmare.

My doc prescribed numerous meds including one to take "as needed for muscle sapam." After receiving the obligatory lecture on "don't drive or operate heavy equipment with these medicines" (does a Cisco Nexus box count?), I whimpered home and told my family I would be "a little loopy" this weekend. If I hadn't already taken some of these medications, I would have immediately raced my two teens to the doctor for treatment for eye-rolling - it's a strange and erratic affliction that plagues so many teens.

I figured the perfect time to start working on this week's blog would be while cozying up on the couch waiting for the pain to subside with these new meds. This morning, however, I reviewed the numerous medically-induced blogs I whipped out while semi-comotose this past weekend.

I realize one thing now - DON'T MEDICATE AND BLOG.

Here are the titles of a few of the blogs I'd spewed out while numb.

* Should Pot be Legalized in Farmville? Since I'm from California and the issue of legalizing pot is almost recommended Kindergarten fare, I wondered about adding pot farms in Farmville. What would the reaction be? If met with heavy opposition perhaps Hempville would be more open
to the issue.

* Put Audio Triggers into Wireshark - I did skulk around a bit on, but had such a tough time typing Wiershark and TPCIP... almost hit "Submit" on an idea to add audio to the Expert Infos Composite function. Imagine importing the "Star Trek Audio Set" and hearing "Damn it, Jim... I'm just a doctor" each time a packet was lost or "Live long and prosper" for each retransmission. There's a loose reference to my old "Amazon Rain Forest" exercise I used with a NetScanTools Pro class...

* Intel - Do the Right Thing - Add an "A" to McAfee. This blog was rather short - simply suggesting that Intel's first move after acquiring McAfee should be to add that friggin' "a" to make it MacAfee - we all pronounce it that way already - c'mon - think of your customers here. There was a bit of a side-ramble regarding their Vegas conference in October featuring Bill
Clinton and some crazy off-beat reference to strip clubs too.

Well... perhaps you can tell I'm not off the meds yet - my mind is wandering ... and I hope it comes back sometime.

So I apologize now if you've asked me a technical question, reached out for advice or pinged me with a thought... I've been busy controlling my "muscle sapams".

Remember to check out the Wireshark Certified Network Analyst program at!



Wednesday, September 22, 2010 is Here!

It's not a forum... it's a Q&A site!

Last week Gerald announced on his blog. The site is based on OSQA (an open source Q&A solution).

I've been playing around on and it's pretty interesting to read the variety of questions that have been posted. Just what I need - something else to keep me awake at night! Sigh.

Go Ahead - Ask a Question
You can read the Q&A FAQ ("sweet baby corn cob?"), but here's the basic flow for using

1. Sign up for a free account at
2. Click "ask a question." Be as clear and complete with your question. If someone doesn't understand or wants more facts, they can comment on your question.
3. You can add details by commenting on your own question as well.
4. When your question gets answered you will receive an email notification (this is a setting you can change in Users > User Tools > Autosubscribe me to).
5. Now here's the important part -
a. If the answer solved the issue, mark it "answered."
b. If someone asks for more information, please comment to provide it.

Marking questions answered ensures that only truly unanswered questions show up when you click the Unanswered tab.

Do We Need Those Stinkin' Badges?
Click on the Badges tab to see the various badges you can earn (and how many times they have been awarded since the launch of by being an active, contributing member.

Pick Up Some Great Tips
By reading through some of the questions/answers at, you can learn:

* How to create an offset filter for Ethernet packets
* How to display all TCP connections with SYN packets
* The cause of SMB STATUS_ACCESS_DENIED packets
* How checksum errors can become a red herring in troubleshooting

I remember the old CompuServe NetWire days - it's fun to get active online again.

See you there!

Remember to check out the Wireshark Certified Network Analyst program at!



Wednesday, September 15, 2010

Troubleshooting with Coloring Rules

Wireshark contains an Expert system (click that colored button in the lower left corner on the status bar) which highlights packets of concern. There are so many network issues that are not detected with the Expert system, however. Consider creating a custom profile that contains a set of "butt ugly" coloring rules to call your attention to highlight potential performance issues.

Some of my favorite troubleshooting coloring rules look for protocol anomalies, error responses and high delta times. Other coloring rules focus on packets that may hint at (or scream about) security issues.

Here's a list of some of the coloring rules I will cover in the October 19th webinar:

* High delta times in displayed packets: When you filter on a conversation, look for sudden increases in delta times, but watch out for moments when user intervention is required to send the next packets - users are slow.

* 4 NOPs in the TCP Options Area: I've covered this over at the Wireshark Tips page - you just never want to see this one.

* HTTP Error Codes: Any HTTP response code higher than 299 indicates either a client error or server error.

* Small TCP Window Size Values: Even if the Window Size field isn't at 0, a low value can totally stop a data transfer process. Wireshark's Expert won't catch packets with a Window size of 50 - it will just catch a Window Size of 0.

In the webinar we will also talk about using "butt uglies" - colors that you detest - to call attention to the performance problems indicated in a trace file.

It will be a full webinar (with a maximum of 1,000 seats), so register early and arrive early to the session. The recorded version will only be available to the All Access Pass members.

Remember to check out the Wireshark Certified Network Analyst program at!



Tuesday, September 7, 2010

Analyzing HUGE Packets - TSO/LRO

Recently I received a trace file from a customer having performance problems. One of the issues in the trace file was a series of packets with large length values such as 32,885 or 35,094 or 61,557.

I've been seeing this characteristic more and more often when analyzing trace files.

This is not a situation of jumbo frames.

This is a situation called TCP Segmentation Offload (or TSO)/Large Receive Offload (LRO).

TSO/LRO are hardware functions. A host with TSO-enabled hardware sends TCP data to the NIC without segmenting the data in software. The NIC will perform TCP segmentation. NICs supporting LRO receive packets and reassemble them before passing the data on to the local software.

When Wireshark is loaded and capturing on a system that performs TSO/LRO, Wireshark may show you these really large frames - it's not lying - that is the size of the frame before segmentation has occurred (in the case of outbound packets handled with TSO) or after reassembly has occurred (in the case of inbound packets handled with LRO).

If you want to see the packets as they actually look when traversing the network - capture them at a location along the path using a FDX tap or port spanning/monitoring. The frames should then be the standard size.

Remember to check out the Wireshark Certified Network Analyst program at!



Thursday, September 2, 2010

Hiding Columns in the New Wireshark 1.4.0!

Wireshark version 1.4.0 download -
Wireshark Certified Network Analyst -
Wireshark Network Analysis Study Guide -
Wireshark Certification Exam Prep Guide -

Register for the free Wireshark 201 Filtering Webinar on September 8, 10am-11am PDT -

This week we had over 800 people register for the free Wireshark 101 Jumpstart
online course. You can download the handouts and review the topics covered.

During the webinar I focused on some of the cool new features of Wireshark
version 1.4.0. One of my favorite new features - Apply As Column - has even
gotten better than it was in the release candidate versions!

At Sharfest 2010, I was showing the new Apply As feature to the audience. Gerald
Combs, creator of Wireshark, was in that audience.

Simply right click on a field in a packet and choose Apply As to add that field as a
column in the Packet List pane. My favorite fields to add are:

* TCP Window Size field
* TCP Sequence Number field
* TCP Acknowledgment Number field
* IP Time to Live field
* 802.11 Channel/Frequency field (from a RadioTap or PPI header)

During that presentation I mentioned how fabulous it would be if I could
temporarily hide one of the new columns then quickly enable it again later.

Try it Yourself

Step 1
Download and extract all the book supplements (available online at

Step 2
In Wireshark version 1.4.0, open the trace file called http-download-bad.pcap. This trace file contains the traffic of someone connecting to a web server and downloading a file. The performance stinks.

Step 3
Expand the TCP header in packet #1 and right-click on the Window Size field (near the
end of the TCP header). Select Apply As Column. Your new Window Size column
appears in the Packet List pane.

Step 4
Right click on the new Window Size column and select Rename Column Title... - change
the name to WinSize.

Step 5
Now click the new WinSize column twice to see the Window Size field values lowest to highest - do you see the "Window Zero" condition in the trace file? What is the IP address of the host that states it has no receive buffer space (indicated by a Window Size of 0)? Yup - that would be the problem with the file download process!

Step 6
Let's say you don't always want to see that column though. Simply right click on the WinSize column heading and select Hide Column. When you want to see it again, just right click on any column heading and select Displayed Columns. Sweet!

Thanks Gerald and the Wireshark development team! This is a great addition!