WIRESHARK- ‐LOOKINGINTOTHEPACKET2Wireshark- ‐LookingintothePacketProtocol Analysis is one of the best methods for troubleshooting network problems inand out of the cloud. Having designed, created and implemented technology for analyzing thecloud network. I think it is time to look at ways of defining the cloud from the inside out.One of the most interesting things about networks is that they usually tell you if there is aproblem. Three basic issues occur with networks; slow throughput, no throughput, and corrupteddata. Many things cause these issues to occur, and many events may occur because of these threeissues, but these are the core. Incorrect configuration of switches/routers may cause these issuesto occur. Incorrectly configured servers may also cause these issues to occur. The importantthing is to be able to tell what is happening and why. This is where protocol analysis comes in.Protocol analyzers allows the network, or systems administrator to see what is occurring on thenetwork, or what their systems are responding to and how. For instance, the protocol analyzerdivides the transaction of packets up into usually 5 -6 divisions of function based on the TCP/IPprotocol stack.

WIRESHARK- ‐LOOKINGINTOTHEPACKET3The BackgroundFirst, you have Frame data (bytes on the wire) which constitutes the information linked to theFrame (Interface ID, Encapsulation Type, Time data, Frame Number, Frame Length, Protocolsin Frame, etc.) This data can be used to help troubleshoot Layer 1 issues and situations if thenetwork (Physical Layer) baseline is known.Second, you have the Data Link Layer data (Based on Encapsulation Type) which constitutesthe information linked to the data link mode of your system, usually Ethernet, but can includeFrame Relay, ATM, or other Layer two technologies. The sections covered in Ethernet areSource Media Access Control Address, Destination Media Access Control Address. Informationgathered from Address Resolution Protocol (Source MAC Address, and Destination InternetProtocol Address linked to MAC Address, Source and Destination LG and IG bits used to showglobally unique address and individual address positions (Extracted from the MAC Address) andthen the Ether Type for Ethernet, this is 0x0800.

WIRESHARK- ‐LOOKINGINTOTHEPACKET4Third, you have the Internet-working Layer data. This section includes the IP Version (4 or6), header length, Differentiated Services, Explicit Congestion Notification (ECN), total lengthof packet, packet identification, flags (Reserved bit, Don’t Fragment, More Fragments,Fragment Offset, Time To Live, Protocol (TCP/UDP), header checksum, checksum data, sourceand destination domain to IP link.)Fourth, you have the Transmission Control Protocol layer data, which gives you the sourceand destination port data, sequence number, acknowledgement number, header length, flags(reserved, nonce, congestion window reduced, ECN-echo, urgent, acknowledgement, push, reset,synchronization, and finish), window size, checksum, and analysis of sequence andacknowledgementFifth, you have the data, which is sent or as it is called the payload. The data also includes itslength.Now, you might ask, “What is this review of the protocol stack for?” Well it is to show you,the reader, that the protocol analyzer can contain data that you need to complete your work or atleast tell you where a problem may exist. For instance, I was working on a project and one of theprogrammers was having a problem getting her program to run. The young woman was a pureprogrammer with no knowledge of network or other data resources experience. She knew how toprogram and that was it. Therefore, it was no surprise when she made a call to a process toexecute a command on another system her program would fail. She traced the fault to a

WIRESHARK- ‐LOOKINGINTOTHEPACKET5command that made a system call using a socket (IP Address: Port). She was told by her projectmanager to talk to one of the network people (me) about the issue, so what did I do. On hersystem, I installed a protocol analyzer and looked at her interface, just as expected the programcould not locate the asset online. Therefore, I told her that the program was working fine and thatbefore the system call she should write some code to do a resource check that would either putthe program into a wait condition with periodic checks or throw an exception that states that theresource is busy and to try again later. She wrote the code to do both and when the remotesystem was back up and running the program ran without a problem. This is one example ofhow protocol analysis can be used to aid in network troubleshooting that extends into the realmof programming. The program was making use of cloud assets, which permitted the use of aprotocol analyzer.Why is this important? As more programming ventures into remote or virtual connections, asin connecting to virtualized and cloud-based systems, the use of protocol analysis will becomemore commonplace. A once ignored facet of network troubleshoot is going to become a widelyused method of verifying network connectivity of virtualized and cloud based systems.There are many Protocol analyzers out there and they all function in and about the same.However, there is a complexity involved with using a protocol analyzer to troubleshoot networkwide issues and events. I experienced this while working at Verizon. I was helping a colleaguetroubleshoot a network problem, which required the use of multiple protocol analyzers installedto provide data as to correlate network events with network problems, using the multiple analysis

WIRESHARK- ‐LOOKINGINTOTHEPACKET6systems was easy but correlating the data was not, because the units were not synced up and thedata was captured at different times. It was during this “comedy of errors” that an idea emerged,that leads to a method being developed to provide correlation to the protocol analysis/ captureprocess. After some time and effort, we (Jimmie Peterman, Rosa Underwood, Emory Young, andI) developed a way to capture, and correlate data that could be used on Enterprise Networks totroubleshoot events in such a way a person could tell what was happening without having to havean extensive knowledge of the network. The method and device was the subject of patentapplication 20110317562 and the subsequent granting of United States Patent US8064350.Understanding the layout of the protocol analyzer is one thing, but looking at it for the data thatcan be harvested from a capture is the power of the analyzer. I have attached a file to thisdocument to help you understand how read a protocol analyzer during a simple troubleshootingexercise that will be discussed in the latter part of this paper. For now let us discuss thetechnology of protocol analysis.The TechnologyTo some of you this may appear to be a mundane exercise, but one thing I have seenconsistently is the writing of programs for use on the Internet/Cloud and people having problemswith the application of remote sockets. This is a problem made for the use of a protocol analyzer.There was a time where the protocol analyzer was used only for network troubleshooting. To use

WIRESHARK- ‐LOOKINGINTOTHEPACKET7a protocol analyzer you had to invest in a system that may have cost thousands of dollars, butbecause of the open source movement, you now have a choice of free very well coded softwarebased protocol analyzes such as Wireshark (I use this one so this will be about Wireshark).Like I had mentioned in the past your choices were limited to some very costlyequipment such as the Hardware based Radcom Protocol Analyzer, Teledyne LeCroy Analyzer,and the HP/Agilent LAN Analyzer, on the software side you have EtherPeek and Agilent’sanalyzer software. The fact was to do protocol analysis you had to spend a lot of money, whichput the proper troubleshooting of network problems out of the range of most small companies.Then the Security Administrator Tool for Analyzing Networks (SATAN) was invented.“SATAN is a tool to help systems administrators. It recognizes several common networkingrelated security problems, and reports the problems without actually exploiting them”(, 1995).SATAN permitted for the first time (open source tool wise) the viewing of networkactivity in response to network stimuli. This opened the door for other advancements such asEthereal, which was the first full, featured open source protocol analyzer. Now, take into mindthat it was not the first open source protocol analyzer, it was the first full featured protocolanalyzer (there is a difference). Ethereal remained the number 1 free open source protocolanalyzer for years, before finally being surpassed by Wireshark. Now, this is another gotcha’Wireshark is Ethereal all grown up. Wireshark expanded on the feature sets of Ethereal and

WIRESHARK- ‐LOOKINGINTOTHEPACKET8added a lot of support for other network technologies that were left out of the Ethereal featureset.Now since we all like free stuff, I am going to guess that Wireshark is looking good toyou now as a possible alternative to the standard protocol analyzers. If so, go on line anddownload it. It will load two major pieces of code the first is the Wireshark package, whichincludes the analyzer and the protocol modules. The next piece of code is the subsystem thatpermits the capture of packets over the network interface, this code is called pcap (forUNIX/Linux) or to be more inclusive WinPcap (For Windows). I would be amiss if I did notdiscuss pcap and its role in the use of protocol analysis.Packet capture (pcap) is a command line tool that contains the APIs, which permit thecapturing of packets over the network interface of a system. The program itself from what Iknow is written in C. This permits higher-level languages (Java, TCL, .Net, and other scriptingtype languages) to pass and receive variables/data-sets and to interact with the pcap program inan almost seamless fashion. In fact, on Linux and UNIX systems TCPDUMP uses the pcaplibrary (libpcap) to provide packet capture output. *Note: The TCPDUMP group wrote pcap.Packet Capture (pcap) can be used as a standalone program or a wrapper (Ethereal, Wireshark)that permits GUI use of the library can access it. Many programs use the pcap library, whichmakes it one of the most used programs in the network arena.

WIRESHARK- ‐LOOKINGINTOTHEPACKET9Now since we have discussed the histories of Wireshark and Pcap, let’s get into the actualuse technology embodied by these two programs.When used in unison the two programs are able to provide information as to the conditionof the packets in a network. The next part of this three-part blog will be how Wireshark works. Iwill be examining a way of troubleshooting a web site problem using two Protocol Analyzers.This method will be based on a system that I helped design and was the topic of US patent #7,899,323, MULTI-INTERFACE PROTOCOL ANALYSIS SYSTEM. Now take into mind thatI will not be doing the full implementation of patent #7,899,323 just a subset that will permit meto show how to use Wireshark and TCPDUMP to troubleshoot problems in the cloud.The ApplicationThis is the fun part; first we need to know what a good web site session looks like usingWireshark. This paper has attached to it a file containing a Wireshark capture of a good web sitesession to and other sites. The start of all troubleshooting begins with thedevelopment of a baseline capture to level-set readings. This is done to provide a comparisonbetween a good reading and a possible bad reading. I will use a real life problem I experiencedtroubleshooting a problem on an executive’s computer at a company where I use to work.Starting off here is an analog of a baseline capture file:


WIRESHARK- totakeplace,followtheseinstructions:1) OnthemenubaritemView2) SelectNameResolution3) ClickonEnableforNetworkLayer4) likethis:


WIRESHARK- willlooklikethis:(SeeNextPage):

WIRESHARK- ecodingtotakeplace,followtheseinstructions:1) OnthemenubaritemView2) SelectNameResolution

WIRESHARK- ‐LOOKINGINTOTHEPACKET153) ClickonEnableforNetworkLayer4) likethis:Figure5

WIRESHARK- etthis:Figure6nslookupofGoogleontheInfectedMachine


WIRESHARK- UTF8&keywords wireshark&tag googhydr- ‐20&index aps&hvadid 21387143575&hvpos 1t1&hvexid &hvnetw g&hvrand 10410599351559150147&hvpone &hvptwo &hvqmt b&hvdev c&ref pd sl 2789p0sl8p bReadandenjoyusingWireshark.

WIRESHARK)LOOKING.INTO.THE.PACKET. .2. Wireshark)Looking.into.the.Packet. Protocol Analysis is one of the best methods for troubleshooting network problems in and out of the cloud. Having designed, created and implemented technology for analyzing the cloud network. I think it is time t