As with all applications, they evolve, improve and basically change from version to version. It doesn’t matter if your troubleshooting software changes to keep up with new technology or to improve general overall performance, you should be aware of these changes before you use the tool in the field. I talk a lot about tool calibration in my presentations and classes and this is yet another example of understanding your troubleshooting of choice.
I’ve been using Wireshark since 2000 and am the first to admit, I don’t like too much change all at once, but then again this is the nature of our field.
One of the big reasons to move to version 2.0 is because this version has switched its user interface library from GTK+ to Qt. GTK+ has a huge impact on the look and feel of Wireshark but doesn’t cover all supported platforms.
So I took the plunge and downloaded version 2.0 and thought I would put together a series of short videos introducing analysts to this new interface. If you’ve used Wireshark, you might be thrown off when certain buttons are not where they used to be. And if you are new to Wireshark, the videos should make your learning curve shorter. In this video I’m starting with the new Welcome screen and explain where some of the old features went and show some of the new features.
WIRESHARK IO Graphs And Filters
Its been over 20 years of installing, troubleshooting, training and writing and I still think the biggest issue in IT is the technician’s working knowledge of their everyday tools. It doesn’t matter if it’s a physical tool like a cable tester or software, you should not only be familiar with it, but with any changes with upgrades.
In this case I chose Wireshark and wanted to show you how display filters affect IO graphs. As I mentioned in the video, this can be ‘bad’ or ‘good’. Which one depends if you know about this new ‘feature’ or not.
I always suggest you ‘use your favorite tools one a regular basis so you can spot some of these changes when they appear so you aren’t caught off guard when you are in the middle of troubleshooting.
...
https://www.youtube.com/watch?v=M_8m-U-9YwQ
When troubleshooting it is quite common to get the mac address of the host, server or network equipment for a variety of reasons.
For example, many syslog messages or logs may refer to mac addresses depending on what the error is. If you are working from the switch, you more than likely need to know the mac address if you need to figure out which port the target is for your monitor or span command. And of course if you are using a protocol analyzer, you should always capture with a mac address, when possible.
In this video I review how most people figure out their mac address and how to determine the mac address of another device on the same vlan as you. The issue with this methodology is that in some scenarios you may want to figure out the mac address of a Microsoft device that is on another VLAN.
Using Microsoft’s getmac command allows you to get your mac address as well as a remote system’s mac address. As I mention in the video, this command seems to be using the DCE/RPC protocol, so if you block this protocol on your host, servers, or network you might have an issue with command.
Lastly, you need to know the user name/password on the remote system for this to work remotely.
Hope this helps you with your troubleshooting.
Here are the command mentioned in the video
getmac
getmac /V
getmac /V /FO CSV
getmac /S 192.168.1.2 /U "tony fortunato" /P churchill /V
...
https://www.youtube.com/watch?v=E-N68jfI5_c
tons of info at www.thetechfirm.com
TCP Trace Route Tools
Every time I mention traceroute, I get a lot of people commenting that they are not able to perform one because ICMP, the protocol traceroute uses it blocked or routed differently in their environment.
I then inform people that there are trace route utilities that use UDP or TCP. After going through this process, I figured it was time to do a quick overview of the 3 basic types of TCP trace route tools that I use:
Tracetcp is a free, portable, command line type tool that you can get at https://github.com/simulatedsimian/tracetcp
IPSwitch Whatsup Visual Traceroute is a free graphical tool that you can get at https://www.ipswitch.com/resources/free-tools/visual-traceroute
NetBeez is a cloud based tool that you can get as a virtual appliance or Raspberry Pi format. You can get the virtual appliance and sign up for you free account at https://netbeez.net/product/plans/netbeez-free/
read the rest at thetechfirm.com
...
https://www.youtube.com/watch?v=7qPm76UPm0s
I thought this would be helpful to show since its so portable and about $25. I use this with my tablet, but have also used it for my laptop, etc..
Very helpful
Blog: http://www.lovemytool.com/blog/tony-fortunato/
...
https://www.youtube.com/watch?v=F4JDp7sQrII
Gathering Information
Many times, I have to decide how to capture information. It could be as literal as packets or less obvious such as SNMP, Netflow, etc..
A very common question that I get asked is, “How did you capture that?”, or “How did you decide how you were going to capture that, and with what tool?
I always start my answer with, “Unfortunately, there are options”. What I mean is that is depends on what you have available and the granularity of the data.
In this video I quickly run through some of the pros and cons of Taps, Port Mirroring and Network Management Protocols.
...
https://www.youtube.com/watch?v=4lTocJYvABM
big note:
YOU NEED TO CAPTURE THE PACKETS FROM WHEN THE COMPUTER JOINS THE ACCESS POINT AND WITH A PROPER CARD OR PACKET CAPTURE TOOL !!!
Packet analysis is tricky enough without layering on WiFi.
First you need to know if you have a WiFi card that can capture the WiFi radio header, then you have to figure out if you can capture in promiscuous mode, then you need to understand if the wireless network has client isolation or similar configurations. Whew…
That where having a specifically designed Wifi tool helps. In this example I used a Fluke Networks One Touch to capture some packets. Capturing them was the easy part. Now I have to decrypt them.
I chose to use Wireshark and want to share with you how to decrypt a trace file when the client is using WPA2 encryption.
As I said in the video, the key (no pun) here is to start your capture before the client authenticates with the access point.
Getting things to work better - bit by bit-
Linkedin Profile https://ca.linkedin.com/in/fortunat
Youtube Channel: https://www.youtube.com/user/thetechfirm
NetworkDataPedia Blog: https://www.networkdatapedia.com/blog/author/Tony-Fortunato
Network Computing Blog: https://www.networkcomputing.com/author/tony-fortunato
Linkedin Company URL: https://www.linkedin.com/company/the-tech-firm/
...
https://www.youtube.com/watch?v=RnfXiAYqsuc
TCP SYN Analysis - The What and Why’s
I have been in the networking field since 1989 and I am never surprised how many times basic protocol knowledge and analysis skills come into play. Basic knowledge of protocols is becoming essential regardless if you are in the security, servers, desktop or networking field.
My clients tell me there is no shortage of information on protocols, but find it difficult to find out what it all practically means.
I thought this would be the perfect opportunity to share some knowledge on some of the TCP options, starting with the SYN.
You may recognize the TCP SYN is part of the 3 way handshake that is used to open, or start a TCP connection. The SYN itself is very useful in calculating TCP round trip time which is far more accurate than any ping.
To review, ping uses ICMP which has many inherent possible issues. For example ICMP may be blocked, spoofed, rerouted or treated as a low priority protocol. Any of these scenarios would result in skewed response times.
Some Application Performance Monitoring Tools measure and track the delta time between the TCP SYN and its corresponding ACK. A common term for this measurement is “TCP Connect” time which is used to create a baseline for performance metrics.
The long hand of performing the same measurement is to use a TCP conversation filter (same IP addresses and TCP port numbers) in combination with the TCP SYN FLAG.
There are many options that can only be seen in the SYN packet that may help when troubleshooting and worth documenting as part of your application baseline.
In my next articles I will be covering some the following options; WIN, MSS, SACK_PERM and WS. In each article I want to cover what the option does and how it impacts performance.
Create video showing how to filter on a TCP conversation, etc…
...
https://www.youtube.com/watch?v=tCanCjEQpGg
As I always say in my presentations, it doesnt take much to use a Protocol Analyzer and capture some packets. Usually you can perform a high level analysis to better understand your applications.
In this video I use Wireshark to better understand how this discovery utility finds IP addresses and names.
Enjoy
...
https://www.youtube.com/watch?v=OqQscc9gXDs