It's not a forum... it's a Q&A site!
Last week Gerald announced ask.wireshark.org on his blog. The site is based on OSQA (an open source Q&A solution).
I've been playing around on ask.wireshark.org and it's pretty interesting to read the variety of questions that have been posted. Just what I need - something else to keep me awake at night! Sigh.
Go Ahead - Ask a Question
You can read the Q&A FAQ ("sweet baby corn cob?"), but here's the basic flow for using ask.wireshark.org:
1. Sign up for a free account at ask.wireshark.org.
2. Click "ask a question." Be as clear and complete with your question. If someone doesn't understand or wants more facts, they can comment on your question.
3. You can add details by commenting on your own question as well.
4. When your question gets answered you will receive an email notification (this is a setting you can change in Users > User Tools > Autosubscribe me to).
5. Now here's the important part -
a. If the answer solved the issue, mark it "answered."
b. If someone asks for more information, please comment to provide it.
Marking questions answered ensures that only truly unanswered questions show up when you click the Unanswered tab.
Do We Need Those Stinkin' Badges?
Click on the Badges tab to see the various badges you can earn (and how many times they have been awarded since the launch of ask.wireshark.org) by being an active, contributing member.
Pick Up Some Great Tips
By reading through some of the questions/answers at ask.wireshark.org, you can learn:
* How to create an offset filter for Ethernet packets
* How to display all TCP connections with SYN packets
* The cause of SMB STATUS_ACCESS_DENIED packets
* How checksum errors can become a red herring in troubleshooting
I remember the old CompuServe NetWire days - it's fun to get active online again.
See you there!
Remember to check out the Wireshark Certified Network Analyst program at www.wiresharktraining.com/certification!
Enjoy!
Laura
Wednesday, September 22, 2010
Wednesday, September 15, 2010
Troubleshooting with Coloring Rules
Wireshark contains an Expert system (click that colored button in the lower left corner on the status bar) which highlights packets of concern. There are so many network issues that are not detected with the Expert system, however. Consider creating a custom profile that contains a set of "butt ugly" coloring rules to call your attention to highlight potential performance issues.
Some of my favorite troubleshooting coloring rules look for protocol anomalies, error responses and high delta times. Other coloring rules focus on packets that may hint at (or scream about) security issues.
Here's a list of some of the coloring rules I will cover in the October 19th webinar:
* High delta times in displayed packets: When you filter on a conversation, look for sudden increases in delta times, but watch out for moments when user intervention is required to send the next packets - users are slow.
* 4 NOPs in the TCP Options Area: I've covered this over at the Wireshark Tips page - you just never want to see this one.
* HTTP Error Codes: Any HTTP response code higher than 299 indicates either a client error or server error.
* Small TCP Window Size Values: Even if the Window Size field isn't at 0, a low value can totally stop a data transfer process. Wireshark's Expert won't catch packets with a Window size of 50 - it will just catch a Window Size of 0.
In the webinar we will also talk about using "butt uglies" - colors that you detest - to call attention to the performance problems indicated in a trace file.
It will be a full webinar (with a maximum of 1,000 seats), so register early and arrive early to the session. The recorded version will only be available to the All Access Pass members.
Remember to check out the Wireshark Certified Network Analyst program at www.wiresharktraining.com/certification!
Enjoy!
Laura
Some of my favorite troubleshooting coloring rules look for protocol anomalies, error responses and high delta times. Other coloring rules focus on packets that may hint at (or scream about) security issues.
Here's a list of some of the coloring rules I will cover in the October 19th webinar:
* High delta times in displayed packets: When you filter on a conversation, look for sudden increases in delta times, but watch out for moments when user intervention is required to send the next packets - users are slow.
* 4 NOPs in the TCP Options Area: I've covered this over at the Wireshark Tips page - you just never want to see this one.
* HTTP Error Codes: Any HTTP response code higher than 299 indicates either a client error or server error.
* Small TCP Window Size Values: Even if the Window Size field isn't at 0, a low value can totally stop a data transfer process. Wireshark's Expert won't catch packets with a Window size of 50 - it will just catch a Window Size of 0.
In the webinar we will also talk about using "butt uglies" - colors that you detest - to call attention to the performance problems indicated in a trace file.
It will be a full webinar (with a maximum of 1,000 seats), so register early and arrive early to the session. The recorded version will only be available to the All Access Pass members.
Remember to check out the Wireshark Certified Network Analyst program at www.wiresharktraining.com/certification!
Enjoy!
Laura
Tuesday, September 7, 2010
Analyzing HUGE Packets - TSO/LRO
Recently I received a trace file from a customer having performance problems. One of the issues in the trace file was a series of packets with large length values such as 32,885 or 35,094 or 61,557.I've been seeing this characteristic more and more often when analyzing trace files.
This is not a situation of jumbo frames.
This is a situation called TCP Segmentation Offload (or TSO)/Large Receive Offload (LRO).
TSO/LRO are hardware functions. A host with TSO-enabled hardware sends TCP data to the NIC without segmenting the data in software. The NIC will perform TCP segmentation. NICs supporting LRO receive packets and reassemble them before passing the data on to the local software.
When Wireshark is loaded and capturing on a system that performs TSO/LRO, Wireshark may show you these really large frames - it's not lying - that is the size of the frame before segmentation has occurred (in the case of outbound packets handled with TSO) or after reassembly has occurred (in the case of inbound packets handled with LRO).
If you want to see the packets as they actually look when traversing the network - capture them at a location along the path using a FDX tap or port spanning/monitoring. The frames should then be the standard size.
Remember to check out the Wireshark Certified Network Analyst program at www.wiresharktraining.com/certification!
Enjoy!
Laura
Thursday, September 2, 2010
Hiding Columns in the New Wireshark 1.4.0!
Resources:
Wireshark version 1.4.0 download - www.wireshark.org/download.html
Wireshark Certified Network Analyst - www.wiresharktraining.com/certification
Wireshark Network Analysis Study Guide - www.wiresharkbook.com
Wireshark Certification Exam Prep Guide - www.wiresharkbook.com/epg
Register for the free Wireshark 201 Filtering Webinar on September 8, 10am-11am PDT - www.chappellseminars.com/s-wireshark201.html
-----
This week we had over 800 people register for the free Wireshark 101 Jumpstart
online course. You can download the handouts and review the topics covered.
During the webinar I focused on some of the cool new features of Wireshark
version 1.4.0. One of my favorite new features - Apply As Column - has even
gotten better than it was in the release candidate versions!
At Sharfest 2010, I was showing the new Apply As feature to the audience. Gerald
Combs, creator of Wireshark, was in that audience.
Simply right click on a field in a packet and choose Apply As to add that field as a
column in the Packet List pane. My favorite fields to add are:
* TCP Window Size field
* TCP Sequence Number field
* TCP Acknowledgment Number field
* IP Time to Live field
* 802.11 Channel/Frequency field (from a RadioTap or PPI header)
During that presentation I mentioned how fabulous it would be if I could
temporarily hide one of the new columns then quickly enable it again later.
Try it Yourself
Step 1
Download and extract all the book supplements (available online at
www.wiresharkbook.com/downloads.html).
Step 2
In Wireshark version 1.4.0, open the trace file called http-download-bad.pcap. This trace file contains the traffic of someone connecting to a web server and downloading a file. The performance stinks.
Step 3
Expand the TCP header in packet #1 and right-click on the Window Size field (near the
end of the TCP header). Select Apply As Column. Your new Window Size column
appears in the Packet List pane.
Step 4
Right click on the new Window Size column and select Rename Column Title... - change
the name to WinSize.
Step 5
Now click the new WinSize column twice to see the Window Size field values lowest to highest - do you see the "Window Zero" condition in the trace file? What is the IP address of the host that states it has no receive buffer space (indicated by a Window Size of 0)? Yup - that would be the problem with the file download process!
Step 6
Let's say you don't always want to see that column though. Simply right click on the WinSize column heading and select Hide Column. When you want to see it again, just right click on any column heading and select Displayed Columns. Sweet!
Thanks Gerald and the Wireshark development team! This is a great addition!
Enjoy!
Laura
Wireshark version 1.4.0 download - www.wireshark.org/download.html
Wireshark Certified Network Analyst - www.wiresharktraining.com/certification
Wireshark Network Analysis Study Guide - www.wiresharkbook.com
Wireshark Certification Exam Prep Guide - www.wiresharkbook.com/epg
Register for the free Wireshark 201 Filtering Webinar on September 8, 10am-11am PDT - www.chappellseminars.com/s-wireshark201.html
-----
This week we had over 800 people register for the free Wireshark 101 Jumpstart
online course. You can download the handouts and review the topics covered.
During the webinar I focused on some of the cool new features of Wireshark
version 1.4.0. One of my favorite new features - Apply As Column - has even
gotten better than it was in the release candidate versions!
At Sharfest 2010, I was showing the new Apply As feature to the audience. Gerald
Combs, creator of Wireshark, was in that audience.
Simply right click on a field in a packet and choose Apply As to add that field as a
column in the Packet List pane. My favorite fields to add are:
* TCP Window Size field
* TCP Sequence Number field
* TCP Acknowledgment Number field
* IP Time to Live field
* 802.11 Channel/Frequency field (from a RadioTap or PPI header)
During that presentation I mentioned how fabulous it would be if I could
temporarily hide one of the new columns then quickly enable it again later.
Try it Yourself
Step 1
Download and extract all the book supplements (available online at
www.wiresharkbook.com/downloads.html).
Step 2
In Wireshark version 1.4.0, open the trace file called http-download-bad.pcap. This trace file contains the traffic of someone connecting to a web server and downloading a file. The performance stinks.
Step 3
Expand the TCP header in packet #1 and right-click on the Window Size field (near the
end of the TCP header). Select Apply As Column. Your new Window Size column
appears in the Packet List pane.
Step 4
Right click on the new Window Size column and select Rename Column Title... - change
the name to WinSize.
Step 5
Now click the new WinSize column twice to see the Window Size field values lowest to highest - do you see the "Window Zero" condition in the trace file? What is the IP address of the host that states it has no receive buffer space (indicated by a Window Size of 0)? Yup - that would be the problem with the file download process!
Step 6
Let's say you don't always want to see that column though. Simply right click on the WinSize column heading and select Hide Column. When you want to see it again, just right click on any column heading and select Displayed Columns. Sweet!
Thanks Gerald and the Wireshark development team! This is a great addition!
Enjoy!
Laura
Thursday, August 19, 2010
Official Exam Prep Guide Hits Amazon!
Visit www.wiresharkbook.com/epg to see sample pages.
Visit the Amazon Marketplace page to purchase.
---------------------------------------------------------------------------------------------------------------
It's been a busy time teaching webinars covering the Wireshark Certified Network
Analyst Exam and then the Exam Prep Guide being released (earlier than
expected) on Amazon.
Watch the recorded Wireshark Certified Network Analyst video at
www.wiresharktraining.com/certification.
The new Exam Prep Guide is designed to help you evaluate your readiness to
take the Wireshark Certified Network Analyst (WCNA) Exam.
Thanks to all of our reviewers and good luck to all of you who have registered to
take the Exam at www.webassessor.com/pai!
Laura Chappell
---------------------------------------------------------------------------------------------------------------
More information and to download the Exam Information Pack, visit
www.wiresharktraining.com/certification.
Visit the Amazon Marketplace page to purchase.
---------------------------------------------------------------------------------------------------------------
It's been a busy time teaching webinars covering the Wireshark Certified Network
Analyst Exam and then the Exam Prep Guide being released (earlier than
expected) on Amazon.
Watch the recorded Wireshark Certified Network Analyst video at
www.wiresharktraining.com/certification.
The new Exam Prep Guide is designed to help you evaluate your readiness to
take the Wireshark Certified Network Analyst (WCNA) Exam.
Thanks to all of our reviewers and good luck to all of you who have registered to
take the Exam at www.webassessor.com/pai!
Laura Chappell
---------------------------------------------------------------------------------------------------------------
More information and to download the Exam Information Pack, visit
www.wiresharktraining.com/certification.
Wednesday, August 11, 2010
Wireshark Certification Exam is Released!
Download the Exam Information Pack
Download the Step-by-Step Registration Information Pack.
Register - Free webinar: Become a Wireshark Certified Network Analyst
---------------------------------------------------------------------------------------------------------------
I am thrilled to announce that the Wireshark Certified Network Analyst Exam is
NOW AVAILABLE ! The Exam is available globally in a proctored format through
Kryterion. Currently the Exam is only available in English.
The Wireshark Certification Exam was designed to confirm
individual competencies in using Wireshark to locate the
cause of network problems (poor performance or security-
related) and confirm your knowledge of TCP/IP network
communications in general.
The Exam is based on the thirty-three areas of study defined in the Exam Focus
and Content section of this document. The four primary areas covered in this
Exam are:
To earn the Wireshark Certified Network Analyst status, you must pass a single
exam—the WCNA-100x Exam (version 100.1 is the current version).
Register for the Exam
The Wireshark Certified Network Analyst Exam is available at hundreds of testing
centers around the world. You can take your Exam at a KRYTERION High-stake
Online Secure Testing (HOST) location near you. To locate a local testing center,
visit www.kryteriononline.com/host_locations.
The Wireshark Certified Network Analyst Exam is a closed-book Exam consisting
of 100 questions. The Exam time limit is 2 hours (120 minutes). Exam questions
are in true/false or multiple choice format (there is only one correct answer for
each multiple choice question). Many of the questions include a Wireshark
screen image.
Exam Pricing
The Wireshark Certified Network Analyst Exam cost is USD 299. The Wireshark
Certified Network Analyst Exam Practice Exam (online) cost is USD 29.
Pass/Fail Grading
The Wireshark Certified Network Analyst Exam is graded on a pass/fail basis.
Passing scores are set by using statistical analysis. At the completion of the
Exam, Candidates receive a score report along with a score breakout by Exam
section.
How to Register for Your Exam
Register for the proctored Wireshark Certified Network Analyst Exam online at
www.webassessor.com/pai.
Step-by-step Exam Registration instructions and complete Exam Preparation
recommendations are available at www.wiresharktraining.com/certification.
The Official Exam Prep Guide will be on Amazon around August 23rd - learn more
at www.wiresharkbook.com/epg.
Thanks to all of you who have been so patient as we rewrote, redesigned and
redeveloped the Exam. We are excited to see Wireshark become more popular
each month and hope the Wireshark Certified Network Analyst designation
becomes a de facto certification for all IT professionals.
Laura Chappell
---------------------------------------------------------------------------------------------------------------
More information and to download the Exam Information Pack, visit
www.wiresharktraining.com/certification.
Download the Step-by-Step Registration Information Pack.
Register - Free webinar: Become a Wireshark Certified Network Analyst
---------------------------------------------------------------------------------------------------------------
I am thrilled to announce that the Wireshark Certified Network Analyst Exam is
NOW AVAILABLE ! The Exam is available globally in a proctored format through
Kryterion. Currently the Exam is only available in English.
The Wireshark Certification Exam was designed to confirm
individual competencies in using Wireshark to locate the
cause of network problems (poor performance or security-
related) and confirm your knowledge of TCP/IP network
communications in general.
The Exam is based on the thirty-three areas of study defined in the Exam Focus
and Content section of this document. The four primary areas covered in this
Exam are:
- Wireshark Functionality
- TCP/IP Network Communications
- Network Troubleshooting
- Network Security
To earn the Wireshark Certified Network Analyst status, you must pass a single
exam—the WCNA-100x Exam (version 100.1 is the current version).
Register for the Exam
The Wireshark Certified Network Analyst Exam is available at hundreds of testing
centers around the world. You can take your Exam at a KRYTERION High-stake
Online Secure Testing (HOST) location near you. To locate a local testing center,
visit www.kryteriononline.com/host_locations.
The Wireshark Certified Network Analyst Exam is a closed-book Exam consisting
of 100 questions. The Exam time limit is 2 hours (120 minutes). Exam questions
are in true/false or multiple choice format (there is only one correct answer for
each multiple choice question). Many of the questions include a Wireshark
screen image.
Exam Pricing
The Wireshark Certified Network Analyst Exam cost is USD 299. The Wireshark
Certified Network Analyst Exam Practice Exam (online) cost is USD 29.
Pass/Fail Grading
The Wireshark Certified Network Analyst Exam is graded on a pass/fail basis.
Passing scores are set by using statistical analysis. At the completion of the
Exam, Candidates receive a score report along with a score breakout by Exam
section.
How to Register for Your Exam
Register for the proctored Wireshark Certified Network Analyst Exam online at
www.webassessor.com/pai.
Step-by-step Exam Registration instructions and complete Exam Preparation
recommendations are available at www.wiresharktraining.com/certification.
The Official Exam Prep Guide will be on Amazon around August 23rd - learn more
at www.wiresharkbook.com/epg.
Thanks to all of you who have been so patient as we rewrote, redesigned and
redeveloped the Exam. We are excited to see Wireshark become more popular
each month and hope the Wireshark Certified Network Analyst designation
becomes a de facto certification for all IT professionals.
Laura Chappell
---------------------------------------------------------------------------------------------------------------
More information and to download the Exam Information Pack, visit
www.wiresharktraining.com/certification.
Wednesday, July 21, 2010
Wireshark Exam Prep Guide in Final Editing!
Update: The book has gone to the printers. We expect it to be available on
Amazon around August 23rd. For more information, visit
www.wiresharkbook.com.
Yes - this blog has been quiet for a bit - I've been putting in an unreal amount of
time prepping the Wireshark Certified Network Analyst Exam and the new
Wireshark Certified Network Analyst Official Exam Prep Guide (shown above).
After writing the Wireshark Network Analysis: Official Wireshark Certified Network
Analyst Study Guide, we had talked about building a prep guide to provide a feel
for the questions on the Exam.
The result is a 202-page Exam Prep Guide that covers over 300 questions in the
book and over 300 questions in both timed and untimed exam format on the
accompanying CD.
The Exam is about ready to release - both the Exam and Exam Prep Guide
should be announced on the same day (get ready). Measure and validate your
analysis skills using the Exam Prep Guide and taking the Wireshark Certified
Network Analyst Exam!
More information on the Exam release and requirements will be coming up over
at www.wiresharktraining.com/certification.
For more information on the Wireshark Certified Network
Analyst Official Exam Prep Guide, visit
www.wiresharkbook.com/epg.
Are you ready? Check out the Exam Prep questions below:
Note: If Amazon.com doesn't have the Wireshark Network Analysis book in stock,
check out our Amazon Marketplace page.
The MAC name resolution process resolves the first 3 bytes of the
MAC address to the OUI value contained in Wireshark’s manuf file.
__ True
__ False
The first two packets of a single TCP handshake process can be
used to determine the long term average round trip latency time
between hosts.
__ True
__ False
The display filter tcp.analysis.flags shows all packets that
have the TCP Reset bit set to 1.
__ True
__ False
ICMP Destination Unreachable messages sent in response to an
FTP connection attempt indicate the FTP port is likely firewalled.
__ True
__ False
Which TCP setting must be enabled in order to use the
tcp.analysis.flags display filter?
__ A. Try Heuristic Subdissectors First
__ B. Analyze TCP Sequence Numbers
__ C. Allow Subdissector to Reassemble TCP Streams
__ D. Window Scaling and Relative Sequence Numbers
Which Calc value is best suited to graphing the IO rate using
tcp.len?
__ A. SUM(*)
__ B. MIN(*)
__ C. LOAD(*)
__ D. MAX(*)
Enjoy life... one bit at a time.
Laura
Answers: True (that's the purpose of the manuf file), False (you need more than
just a single SYN, SYN/ACK to figure out the long-term average RTT), False (this
filter shows packets marked as retransmissions, window zero, checksum errors,
etc. - not TCP reset packets), True (if the port were open, we'd see a SYN/ACK, if it
were closed we'd see a RST - an ICMP response indicates a likely firewall
fantastic Wireshark display filter), A (you want to count up all the TCP data - not
just know the minimum or maximum values for the time period - the LOAD(*) is
used for time values).
Amazon around August 23rd. For more information, visit
www.wiresharkbook.com.
Yes - this blog has been quiet for a bit - I've been putting in an unreal amount of
time prepping the Wireshark Certified Network Analyst Exam and the new
Wireshark Certified Network Analyst Official Exam Prep Guide (shown above).
After writing the Wireshark Network Analysis: Official Wireshark Certified Network
Analyst Study Guide, we had talked about building a prep guide to provide a feel
for the questions on the Exam.
The result is a 202-page Exam Prep Guide that covers over 300 questions in the
book and over 300 questions in both timed and untimed exam format on the
accompanying CD.
The Exam is about ready to release - both the Exam and Exam Prep Guide
should be announced on the same day (get ready). Measure and validate your
analysis skills using the Exam Prep Guide and taking the Wireshark Certified
Network Analyst Exam!
More information on the Exam release and requirements will be coming up over
at www.wiresharktraining.com/certification.
For more information on the Wireshark Certified Network
Analyst Official Exam Prep Guide, visit
www.wiresharkbook.com/epg.
Are you ready? Check out the Exam Prep questions below:
Note: If Amazon.com doesn't have the Wireshark Network Analysis book in stock,
check out our Amazon Marketplace page.
The MAC name resolution process resolves the first 3 bytes of the
MAC address to the OUI value contained in Wireshark’s manuf file.
__ True
__ False
The first two packets of a single TCP handshake process can be
used to determine the long term average round trip latency time
between hosts.
__ True
__ False
The display filter tcp.analysis.flags shows all packets that
have the TCP Reset bit set to 1.
__ True
__ False
ICMP Destination Unreachable messages sent in response to an
FTP connection attempt indicate the FTP port is likely firewalled.
__ True
__ False
Which TCP setting must be enabled in order to use the
tcp.analysis.flags display filter?
__ A. Try Heuristic Subdissectors First
__ B. Analyze TCP Sequence Numbers
__ C. Allow Subdissector to Reassemble TCP Streams
__ D. Window Scaling and Relative Sequence Numbers
Which Calc value is best suited to graphing the IO rate using
tcp.len?
__ A. SUM(*)
__ B. MIN(*)
__ C. LOAD(*)
__ D. MAX(*)
Enjoy life... one bit at a time.
Laura
Answers: True (that's the purpose of the manuf file), False (you need more than
just a single SYN, SYN/ACK to figure out the long-term average RTT), False (this
filter shows packets marked as retransmissions, window zero, checksum errors,
etc. - not TCP reset packets), True (if the port were open, we'd see a SYN/ACK, if it
were closed we'd see a RST - an ICMP response indicates a likely firewall
fantastic Wireshark display filter), A (you want to count up all the TCP data - not
just know the minimum or maximum values for the time period - the LOAD(*) is
used for time values).
Subscribe to:
Posts (Atom)