Analyzing TCP/IP Networks with Wireshark

Course Outline

Section 1: Troubleshooting Methodology

• Overview of a Four-Part Analysis Methodology 
• Task 1: Define the Problem
• Task 2: Collect System, Application and Path Information
• Task 3: Capture and Analyze Packet Flows
• Task 4: Consider Other Tools
• Use a Troubleshooting Checklist
• Verify Trace File Integrity and Basic Communications
• Focus on Complaining User’s Traffic
• Detect and Prioritize Delays
• Look for Throughput Issues
• Check Miscellaneous Traffic Characteristics
• TCP-Based Application: Determine TCP Connection Issues/Capabilities
• TCP-Based Application: Identify TCP Issues
• UDP-Based Application: Identify Communication Issues
• Spot Application Errors

Section 2: Master Key Wireshark® Troubleshooting Tasks

• Top Causes of Performance Problems
• Capturing Traffic: Link-Layer Interfaces 
• Opening Trace Files
• Processing Packets
• Core Engine
• Dissectors, Plugins and Display Filters
• The Qt Framework Provides the User Interface
• The Qt Interface Overview
• First Step: Create a Troubleshooting Profile
• The Icon Toolbar
• Sample 3-Day Course Outline: Analyzing TCP/IP Networks with Wireshark
• Master the Intelligent Scrollbar
• The Changing Status Bar
• Right-Click Functionality
• Keyboard Shortcuts (Accelerators)
• General Analyst Resources
• How to Use ask.wireshark.org
• Your First Task When You Leave Class - Baseline
• Use Annotations
• Use Logical Naming Conventions for Trace Files
• Customize the User Interface
• Add Custom Columns for the Packet List Pane
• Define Name Resolution Preferences
• Mapping IP Addresses on the Earth (GeoIP Mapping)
• Build Permanent Coloring Rules
• Identify a Coloring Source
• Apply Temporary Coloring
• Mark Packets of Interest
• Capture File Properties
• View Active Protocols
• Filter On or Colorize Protocol Traffic
• Locate the Most Active Conversations and Endpoints
• Follow TCP Streams to Reassemble Data
• Graph the Traffic Flows for a More Complete View
• Quick Overview of VoIP Traffic Analysis
• Watch for Error Codes and Packet Loss

Section 3: Learn Capture Methods and Use Capture Filters

• Capture Issues
• Task Offload (Including Checksum Offload)
• Dropped Packets During Capture
• Analyzer Placement: Switches
• Walk-Through a Sample SPAN Configuration 
• Analyze Full-Duplex Links with a Network TAP
• Analyzing Wireless Networks
• Initial Analyzing Placement
• Identify Active Capture Interfaces Using Sparklines
• Save Directly to Disk
• Save to File Sets for Manageable File Sizes
• Use a Ring Buffer to Avoid Filling a Drive
• Sample 3-Day Course Outline: Analyzing TCP/IP Networks with Wireshark
• Capture Output and Options
• Define the Criteria to Create a New File
• Define Auto-Stop Criteria
• Limit Your Capture with Capture Filters
• Examine Key Capture Filters

Section 4: Troubleshoot with Time

• Examine the Delta Time
• Set a Time Reference
• Compare Timestamp Values
• Seconds Since Beginning of Capture
• Seconds Since Previous Captured Packet 
• Compare Timestamps of Filtered Traffic
• Seconds Since Previous Displayed Packet
• Enable and Use TCP Conversation Timestamps
• Compare TCP Conversation Timestamp Values
• Determine the Initial Round Trip Time (iRTT)
• Troubleshooting Example Using Time
• Wire Latency
• Processor Latency
• Analyzing Delay Types
• Detect DNS Delays
• Detect HTTP Delays 

Section 5: Master Basic and Advanced IO Graph Functions

• Graph Throughput to Spot Performance Problems Quickly
• Graph Specific Traffic with Filters
• Distinguish Traffic with Various Styles
• Advanced I/O Graphing
• SUM(Y Field) Graphing
• MAX(Y Field), MIN(Y Field), and AVG(Y Field) Graphing
• COUNT FRAMES(*) or COUNT FIELDS(*) Calc
• LOAD(Y Field) Graphing
• Graph Round Trip Times
• Graph TCP Throughput
• Find Problems Using TCP Time Sequence Graphs
• Identify TCP Window Size Problems
• Identify Retransmissions
• Sample 3-Day Course Outline: Analyzing TCP/IP Networks with Wireshark

Section 6: Focus on Traffic Using Display Filters

• Overview of Display Filters
• Filter on Conversations/Endpoints
• Build Filters Based on Packets
• Apply as Filter (Apply Now)
• Prepare a Filter (Manually Apply)
• Understand Display Filter Syntax
• Use Comparison and Membership Operators
• Filter on Text Strings
• Regular Expressions 101
• Build Filters Expression Buttons
• Watch for Common Display Filter Mistakes
• Filter Error Checking

Section 7: TCP/IP Communications and

• Resolutions Overview
• TCP/IP Functionality Overview
• When Everything Goes Right
• The Multi-Step Resolution Process
• Port Number Resolution
• Name Resolution
• Location Resolution
• Local – MAC Address Resolution
• Remote – Route Resolution
• Remote – MAC Address Resolution for a Gateway
• Resolution Helped Build the Packet
• Where Can Faults Occur?
• Typical Causes of Slow Performance

Section 8: Analyze Transmission Control

• Protocol (TCP) Protocol
• TCP Overview
• The TCP Connection Process
• Watch Service Refusals
• TCP Packet Structure
• Source Port Field
• Destination Port Field
• Sequence Number Field
• Acknowledgment Number Field
• Sample 3-Day Course Outline: Analyzing TCP/IP Networks with Wireshark
• Data Offset Field (Header Length field)
• Flags Field
• Window Field
• Checksum Field
• Urgent Pointer Field
• TCP Options Field(s)
• The TCP Sequencing/Acknowledgment Process
• TCP Segmentation Offload (TSO)
• Packet Loss Detection
• Retransmission Detection
• Fast Recovery/Fast Retransmission Detection
• Spurious Retransmission Detection
• Out-of-Order Segment Detection
• Selective Acknowledgement (SACK) Overview
• TCP Sliding Window Overview
• Window Scaling Overview
• Window Size Issue: Receive Buffer Problem
• Window Size Issue: Unequal Window Size Beliefs

Section 9: Identify Problems Using Wireshark’s Expert

• Troubleshoot TCP Quickly with Expert Information
• TCP Expert Information Details Sample
• Expert Information Classifications
• What Triggers TCP Retransmissions?
• What Triggers Fast Retransmission?
• What Triggers Spurious Retransmissions?
• What Triggers Previous Segment Not Captured?
• What Triggers ACKed Unseen Segment?
• What Triggers Keep Alive?
• What Triggers Duplicate ACK?
• What Triggers Zero Window?
• What Triggers Zero Window Probe?
• What Triggers Zero Window Probe ACK?
• What Triggers Keep Alive ACK?
• What Triggers Out-of-Order?
• What Triggers Window Update?
• What Triggers Window Full?
• What Triggers TCP Ports Reused?
• Sample 3-Day Course Outline: Analyzing TCP/IP Networks with Wireshark

Part 10: Command-Line and 3rd Party Tools

• Tshark and Dumpcap Command-Line Tools
• Capinfos Command-Line Tool
• Editcap Command-Line Tool
• Mergecap Command-Line Tool
• Sanitize Trace Files
• Other Tools