Wireshark University (www.wiresharktraining.

com)

Hands-On Lab
IMPORTANT:
The method for applying capture filters changed in Wireshark 1.8. Many people
on ask.wireshark.org complain because they must expand the capture option
window to see the Capture Filter column. Hopefully the developers will consider
this issue and make some changes to the interface to reduce this confusion.

Lab 1: Capture Traffic to/from Your Hardware Address

Step 1 First you must obtain the hardware address of your machine. Open the
command prompt on your system and type ipconfig /all (Windows) or
ifconfig /all.

Write your Ethernet hardware address (physical address) below.

________:________:________:________:________:________

Do not close the command prompt window. You will return to this window to
connect to the target.

Step 2 In Wireshark, click the Capture Options icon and select the interface.
IMPORTANT: Expand the Capture Options window to see the Capture Filter
column.

Step 3 Double-click on the Capture Filter column.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 35

Wireshark University (www.wiresharktraining.com)

Step 4 Click the Capture Filter button in the Edit Interface Settings window.

Step 5 In the Capture Filter window, click on the first sample capture filter named
Ethernet address 00:08:15:00:08:15.

Notice the syntax of the filter string. You will use this same format when
creating a capture filter for traffic to or from your hardware address.

Step 6 Click New. Since you selected a capture filter in Step 4, Wireshark creates a
new copy of that filter.

Scroll down to see a new copy of the Ethernet address 00:08:15:00:08:15 filter
in the Capture Filter window.

Page 36 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]

 Wireshark University (www.wiresharktraining.com)

Step 7 Change the name of the new filter to MyMac. Change the Ethernet address to
your Ethernet address (written in Step 1).

Replace the Ethernet address shown with your address. An example is shown
below.

Click OK.

Step 8 Your new capture filter is listed in the Capture Options window. Click OK to
close this window.

Click OK to close the Edit Interface Settings window. You should now be
viewing the Capture Options window.

Next you will set up Wireshark to automatically save your captured packets to a
file.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 37

Wireshark University (www.wiresharktraining.com)

Step 9 Click the Browse button on the Capture Options window. Navigate to your
desktop. Click the Create Folder button on the Specify a Capture File window
to make a new folder called traces-class on your system. Double-click on your
new folder.

In the Name area, enter the trace file name lab1ftp.pcapng.

Click OK.

Step 10 If required, toggle to place the Capture Options window in the foreground.

The file name defined in Step 9 is listed in Capture File(s) area of the Capture
Options window. You will manually stop the capture process. No additional
configuration is necessary.

Click Start.

Step 11 Return to the command prompt and enter ftp target (use the target IP address
or target name defined by your instructor at the beginning of this lab exercise).

Perform any other steps defined by the instructor. Note them below.

_______________________________________________________________

_______________________________________________________________

_______________________________________________________________

Page 38 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]

 Wireshark University (www.wiresharktraining.com)

Step 12 Return to Wireshark and click the Stop Capture button.

Review the traffic generated during the FTP process. The trace file only
contains traffic to and from your Ethernet address.

HOT TIP
You may also consider creating a Not My Mac filter to exclude your own traffic from
a trace file. This enables you to listen in on background network traffic while
removing your own traffic from the trace file.

Video Tutorial: wiresharku_lab1.mp4

The video_tutorial directory of your student DVD contains a video showing the
steps related to this lab exercise.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 39

Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 2: Create Your Troubleshooting Profile
Overview You will create a profile and use this profile through the remainder of this
course. The profile will eventually contain numerous filters, coloring rules and
columns to speed up the troubleshooting process.
Lab Steps

Step 1 Open Wireshark.

Step 2 Right-click on the Status Bar Profile column and select New. Select to create
your new profile from the Default. Name your new profile Troubleshooting.

If your version of Wireshark does not support this right-click functionality, select
Edit | Configuration Profiles. Select the Default profile and click Copy.
Step 3 Click OK. Your new profile name is shown in the right column of the Status Bar.

Step 4 Select Help | About Wireshark and select the Folders tab.

Step 5 Profiles are contained in the Personal Configuration directory. This directory
location is dependent on the operating system upon which Wireshark was
installed.

Double-click the hyperlink to open your Personal Configuration directory.

Step 6 Wireshark creates a Profiles directory when you create your first custom profile.
Open the Profiles directory.

Page 46 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]

 Wireshark University (www.wiresharktraining.com)

You will see a directory called Troubleshooting. This directory will have one or
more files that were copied over from the default profile. You may also see a
recent file and preferences file (depending on whether or not you have altered
columns and any other settings).

As you customize Wireshark (while working in the Troubleshooting profile) you

will see more configuration files appear in this directory. The following lists
some of the files that may be seen in this directory:

cfilters capture filters used with this profile

dfilters display filters used with this profile
coloringrules coloring rules used with this profile
preferences protocol and interface settings used with this profile
recent toolbar and last directory settings used with this profile

Step 7 Close the directory window and the About Wireshark window. You will now
create a new capture filter in your Troubleshooting profile.

Step 8 Click the Capture Filters button on the icon toolbar.

Step 9 Create and save a capture filter for all traffic except traffic to and from your
hardware address. Use the steps you learned in Lab 1, but make sure you
place “!” or “not” in front of your MAC address. Name your filter NotMyMac.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 47

Wireshark University (www.wiresharktraining.com)

Step 10 Examine your Troubleshooting profile directory again. The cfilters file
contained in this directory should have a timestamp indicating that it was just
revised.

Step 11 Open your Troubleshooting cfilters file using a text editor (such as WordPad
on a Windows host). You should see your MyMac and NotMyMac filters at the
end of the capture filter list. No changes were made to this file so you can
simply close it without saving.

To share the entire profile with another person running Wireshark, you can copy
the entire Troubleshooting directory into another Profiles directory on their
machine.

To share this cfilter file with another person running Wireshark, you can copy
the cfilter file into the appropriate profile directory on their machine.

If you want to share a single filter, you can copy and paste it into another cfilters
file. Close the cfilters file.

Video Tutorial: wiresharku_lab2.mp4

The video_tutorial directory of your student DVD contains a video showing the
steps related to this lab exercise.

Page 48 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]

 Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 3: Set Basic Preferences for Your Troubleshooting Profile
Overview There are several basic configuration parameters that can be changed to
troubleshoot more effectively with Wireshark. In this lab you will alter several
Wireshark settings in your Troubleshooting profile.
Lab Steps

Step 1 Open http-google2012.pcapng. Ensure you are working with your

Troubleshooting profile.

Click the Preferences button and set the following elements.

User Interface
ƒ Filter display max. list entries: 30
ƒ “Open recent” max. list entries: 30
ƒ Welcome screen and title bar shows version: enabled
ƒ Display LEDs in the Expert Infos dialog tab labels: enabled

Protocols | TCP
ƒ Allow subdissector to reassemble TCP streams: disable
ƒ Track number of bytes in flight: enable
ƒ Calculate conversation timestamps: enable

Click OK to close the Profile Preferences window.

Step 2 In the Packet List pane, right click on the Length column heading and select
Hide Column. You can always display this column again by right clicking on
any column heading the selecting Displayed Columns | Length.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 55

Wireshark University (www.wiresharktraining.com)

Step 3 Use the steps you learned in Lab 2 to open and examine your
Troubleshooting profile directory. The displayed and hidden column
information is saved in a preferences file immediately upon changing the
setting. You can open and examine this file using a text editor. Do not make
any changes when viewing the file, however.

Step 4 Toggle back to Wireshark. In the Packet List pane, the Number column often
crowds the Time column. Right click on the Number column heading and
select Align Left.

Column alignment is saved in a file called recent.

These recent settings will be saved in your Troubleshooting profile when you
change to another profile or close Wireshark.

Step 5 Right click on the Profile column in the Status Bar and change to the Default
profile. Return to the Troubleshooting profile. Now you will find a recent file in
your Profiles/Troubleshooting directory. Open this file with a text editor, but
don’t save any changes you make to the file.

Your column alignment setting is listed under # Packet list column

pixel widths.

The designation for left alignment is :L.

Spend some time examining the various settings contained in the recent and
preferences files.

Page 56 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]

 Wireshark University (www.wiresharktraining.com)

HOT TIP
In the future, when you want to change a protocol or application preference, you
can right-click on that protocol or application in the packet details pane and select
Protocol Preferences. Any preferences set using this right-click method are saved
in the current profile.

Video Tutorial: wiresharku_lab3.mp4

The video_tutorial directory of your student DVD contains a video showing the
steps related to this lab exercise.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 57

 Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 4: Find, Mark, Save and Colorize Packets
Overview You have been sent a trace file from another member of the IT staff who is
concerned about the behavior of one user on the network. They have asked
you to analyze the traffic captured and let them know if the suspect user is
downloading any executables that might be malicious.
You will use Find to locate the string “.exe” to identify any such executables.
You will mark and save any suspicious download requests and save the
packets in a separate file to show to the concerned IT staff member.
Finally, you will create a coloring rule to identify HTTP GET requests that
contain the value .exe.
Note: Ensure the TCP Preference “Allow subdissector to reassemble TCP
stream” is disabled before working through this lab.
Trace File lab-userfred.pcapng

Lab Steps

Step 1 Open lab-userfred.pcapng. Ensure you are working in your Troubleshooting

profile.
Step 2 Select Edit | Find Packet (or use the assigned keyboard accelerator, Ctrl+F).
Click the radio button indicating a String search and enter .exe in the text
window as shown below. Ensure Case sensitive is not selected.

Step 3 Click Find.

Examine the Packet List Info column to look for any indications the user is
requesting a file with the .exe extension.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 69

Wireshark University (www.wiresharktraining.com)

Step 4 Select Edit | Find Next (or the assigned keyboard shortcut, Ctrl+N) and
continue to search through the trace file until you locate a request to download
an executable file.
There are numerous HTTP GET requests in this trace file, but only two
requests to download files with an .exe extension. For example, packet 21288
is found, but the user is requesting a JavaScript file (c.js).
GET /c/c.js?aid=10552&nm=true…

Step 5 When you locate a packets with a request for an executable file, right click on
the packet in the Packet List pane and select Mark Packet (toggle). The
packet will be marked with a black background and white foreground.
Upon completion you should have two marked packets.
What are the names of the executable files?

File #1: ___________________________________

File #2: ___________________________________

Step 6 Select File | Export Specified Packets. In the Packet Range section,
select Marked Packets as shown below. Save your file to your traces-class
directory under the name lab-userfred_export.pcapng.

Step 7 Now you will set up a coloring rule to highlight the string .exe in HTTP GET
requests.

Since coloring rules use display filter syntax and we have not covered that topic
yet, you will be provided with the syntax. After Section 7 of this course you will
create additional coloring rules on your own.

Click the Coloring Rules button.

Page 70 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]

 Wireshark University (www.wiresharktraining.com)

Step 8 Click New and create your coloring rule using the following attributes:

Name: S-HTTP Download .exe

String: http.request.uri contains ".exe"
Foreground Color: Black (#000000)
Background Color: Orange3 (#CD8500)

Step 9 Click OK.

Your new coloring rule will be highlighted with blue.

This coloring rule will be at the top of the list. Click OK to close and apply the
coloring rule to the trace file.

Marked packets remain with a black background and white foreground.

Step 10 Select Edit | Unmark All Displayed Packets. As you scroll through the trace
file you will easily see the colorized packets.

Step 11 Click the Coloring Rules button, highlight the S-HTTP Download .exe
coloring rule you just created and click the Disable button. The coloring rule
appears crossed out. We will save this coloring rule, but not use it on all the
trace files in this course. Click OK.

This new coloring rule will be saved in a file called colorfilters in your
Troubleshooting profile directory.

Video Tutorial: wiresharku_lab4.mp4

The video_tutorial directory of your student DVD contains a video showing the
steps related to this lab exercise.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 71

 Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 5: Detect and Colorize High Latency Indications
Overview The user that maintains the company’s Facebook page complains that “the
network is slow” when trying to update the company profile. You’ve spanned
the user’s switch port to capture traffic when the user loads the company page
to determine if there are latency issues.
You will change the default time column, add a TCP conversation timestamp
column and build a coloring rule to locate latency issues.
Trace File lab-timeanalysis.pcapng

Lab Steps

Step 1 Open lab-timeanalysis.pcapng. Ensure you are using your Troubleshooting

profile.
Step 2 Select View | Time Display Format and verify the current setting is Seconds
Since Beginning of Capture (the default Time column setting).

Step 3 Right click on the Frame section of Packet #1 and select Expand Subtrees.
The Frame section contains information about the packet, but does not include
any fields that are actually contained in the packet. You can consider this as
metadata or interpretation based on the packet contents.

Wireshark often identifies this metadata by enclosing that information in

brackets.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 87

Wireshark University (www.wiresharktraining.com)

Step 4 Right click on the Time delta from previous displayed frame field and select
Apply as Column as shown below.

Step 5 In the Packet List pane, click and drag your new column’s heading to the left
to place this time column next to the existing Time column.

Step 6 Right click on this new Time delta from previous displayed frame and select
Edit Column Details. Change the column name to Delta. Click OK.

You now have two Time columns.

1. The first column (Time) displays the arrival time of each packet compared to
the first packet in the trace (or a Time Reference setting).

2. The second time column (Delta) displays the amount of time from the end of
one packet to the end of the next.

Page 88 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]

 Wireshark University (www.wiresharktraining.com)

Step 7 Write down the following time values.

Time delta from

previous displayed frame

Packet 2: DNS response Time: ___________________ in ms.

Packet 4: DNS response Time: ___________________ in ms.

Packet 11: DNS response Time: ___________________ in ms.

Packet 13: DNS response Time: ___________________ in ms.

Looking at the above time values, what is the approximate average round trip
DNS response time?

_______________________________________________________________

Step 8 Scroll down to Packet 29.

Packets 29 and 32 are the first two packets of a new TCP connection.
Examining the time delta between these two packets can give us an idea of the
round trip path latency between hosts.

Unfortunately, there are DNS packets between these two TCP packets. The
Time delta from previous displayed frame column will include the time deltas of
the DNS packets. We will need to add another time column.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 89

Wireshark University (www.wiresharktraining.com)

Step 9 In the Packet Details pane of packet 29, right click on the TCP header and
select enable Protocol Preferences | Calculate Conversation Timestamps
as shown on the image below.

Step 10 Ensure Allow subdissector to reassemble TCP streams is disabled. We will

examine this TCP setting further in the TCP and HTTP analysis sections of this
course.

Page 90 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]

 Wireshark University (www.wiresharktraining.com)

Step 11 Expand the TCP header of Packet 29 in the Packet Details pane. Look for a
[Timestamps] section at the end of the TCP header. Expand this section as
shown below.

Right click on the Time since previous frame in this TCP stream line and
select Apply As Column.

Follow the procedure defined in Step 6 to rename this column to TCP Delta.

Step 12 Now look at the TCP Delta timestamp in Packet 32. Packet 29 and 32 are the
same TCP stream. The time value displayed in this column only applied to this
connection. This provides a quick snapshot of the round trip path latency
between the two hosts.

What is the round trip path latency seen during this TCP connection between
24.6.173.220 and 66.220.147.22?

Time: ______________ (in ms)

Step 13 Now you will make a coloring rule to help locate large delays in a TCP stream.
Right click on the Time since previous frame in this TCP stream line in
Packet 32 (at the end of the TCP header) and select Colorize with Filter | New
Coloring Rule. You will need to name your new coloring rule and alter the
string and coloring as follows:

Name: T-TCP Delays

String: tcp.time_delta > 1
Foreground Color: Black (#000000)
Background Color: Orange (#FFA500)

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 91

Wireshark University (www.wiresharktraining.com)

FYI
In this course we will use the following coloring scheme and naming convention:

Troubleshooting Coloring Rules Foreground Black (#000000)

Starting with “T-” Background Orange (#FFA500)

Notes Coloring Rules Foreground White (#FFFFFF)

Starting with “N-” Background Dark Green (#006400)

Security Coloring Rules Foreground Black (#000000)

Starting with “S-” Background Orange3 (#CD8500)

Your new coloring rule should look like the example shown below.

Step 14 Click OK. Your new coloring rule will be highlighted with blue and be shown at
the top of the coloring rules list.

We will order our coloring rules as security coloring rules, troubleshooting

coloring rules and then notes coloring rules. All of our custom coloring rules will
be placed above the default coloring rules.

Click OK in the Coloring Rules window to close and apply the coloring rule to
the trace file.

This coloring rule helps spot delays in trace files. Examine this trace file with
the new coloring rule in place.

Step 15 We need to enhance our coloring rule so it does not highlight TCP FIN or RST
packets since delays preceding these packets are typically not noticed by a
user and are part of the eventual shutdown of applications. Edit your T-TCP
Delays coloring rule string as follows:

String: tcp.time_delta > 1 && tcp.flags.fin==0 &&

tcp.flags.reset==0

Page 92 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]

 Wireshark University (www.wiresharktraining.com)

Step 16 You can also quickly locate TCP delays using your TCP Delta column.

Click on your TCP Delta column heading twice to sort the column from high to
low.

Click the First Packet button on the icon toolbar.

Based on the TCP Delta column, where are the largest delays in this trace
file?

Packet Info TCP Delta Column Information

____________________________ TCP Delta Time: ______________

____________________________ TCP Delta Time: ______________

____________________________ TCP Delta Time: ______________

____________________________ TCP Delta Time: ______________

____________________________ TCP Delta Time: ______________

____________________________ TCP Delta Time: ______________

What might be the causes of these different delays?

_______________________________________________________________

_______________________________________________________________

_______________________________________________________________

_______________________________________________________________

Video Tutorial: wiresharku_lab5.mp4

The video_tutorial directory of your student DVD contains a video showing the
steps related to this lab exercise.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 93

 Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 6: Find the Top Talkers and Protocols/Applications on a Network
Overview In this lab you will practice locating the top talkers and protocols/applications on
a network. You have been given a large trace file that contains several
conversations.
Trace File lab-gentraffic.pcapng

Lab Steps

Step 1 Open lab-gentraffic.pcapng. Ensure you are using your Troubleshooting

profile.
Step 2 You are interested in the top talkers and conversations. To locate the top
talkers, select Statistics | Endpoints and click on the IPv4 tab.

Step 3 Click on the Tx Bytes heading to sort this column and locate the host that has
sent the most bytes onto the network.

Most active IPv4 host: ___________________________

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 109
Wireshark University (www.wiresharktraining.com)

Step 4 Click Close – you are done with the Endpoints window.
Select Statistics | Conversations and select the TCP tab. In this instance you
are interested in the most active TCP conversation.
Click the TCP tab and sort the Bytes column.

Most active TCP conversation (bytes):

Target A and PortA Target B and Port B

______________________________ ______________________________

Step 5 Click Close – you are done with the Conversations window.
Now you must find the most active protocols or applications in the trace file.
Select Statistics | Protocol Hierarchy. You cannot sort this table by the
columns as the order of information is based on the hierarchical structure of
packets.
Examine the services listed after the User Datagram Protocol and Transmission
Control Protocol rows. You may need to consider traffic running over IPv4 as
well as IPv6.

Most Active Most Active

UDP-Based Application TCP-Based Application

Application: _________________ Application: _________________

# of bytes: _________________ # of bytes: _________________

HOT TIP
You can quickly apply a display filter from many of the Statistics windows by right
clicking on an entry and defining the filter options.

Video Tutorial: wiresharku_lab6.mp4

The video_tutorial directory of your student DVD contains a video showing the
steps related to this lab exercise.

Page 110 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]
 Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 7: Create and Use an IO Graph to Spot Performance Issues
Overview Mike is trying to download a copy of Wireshark, but he complains that things
seem to download pretty slowly. Since Mike doesn’t do packet analysis, he
wonders if you can take a look at the trace file he got using an older version of
Wireshark.
Building an IO graph is one of the first steps in troubleshooting
communications. Look for sudden drops in throughput and focus on those
areas first. In this lab we will just practice locating the problem—in later sections
we will delve further in the cause of those problems and the next steps taken by
the network analyst.
Trace File lab-iograph.pcapng

Lab Steps

Step 1 Open lab-iograph.pcapng. Ensure you are working in your Troubleshooting

Profile.
Step 2 Select Statistics | Conversations to validate that Mike sent you a single
download conversation. Close the Conversations window when you are sure
there is only one conversation in the trace file.
If there were other conversations in the trace file you might consider filtering out
the most active download to Mike’s machine and work with just that one
conversation.
Step 3 Select Statistics | IO Graphs.
Note that there are two locations where the IO rate drops suddenly as shown in
the image on the next page. Ideally we would like to see the graphed line climb
at the start, remain high throughout and drop at the end. This graph does not
look good.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 111
Wireshark University (www.wiresharktraining.com)

Step 4 The IO graph plot points are linked to the individual packets in the trace file.
Click on a point on the graph where the throughput is low and Wireshark
will highlight a packet at that point in the trace file.
What types of conditions does Wireshark indicate when the throughput drops in
this trace file?.

_______________________________________________________________

_______________________________________________________________

_______________________________________________________________

_______________________________________________________________

We will examine these conditions later in this course.

Video Tutorial: wiresharku_lab7.mp4

The video_tutorial directory of your student DVD contains a video showing the
steps related to this lab exercise.

Page 112 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]
 Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 8: Locate a Text String in a Trace File
Overview You’ve been given a trace file containing a web browsing session. You are
interested in determining how many .jpg images were downloaded during the
browsing session.
You will use a RegEx (Regular Expression) term in a display filter.
Trace File lab-http-espn2012.pcapng

Lab Steps

Step 1 Open lab-http-espn2012.pcapng. Ensure you are using your Troubleshooting

profile.
Step 2 Try each of the following display filters and note the number of packets that
matched each filter.

Display Filter # of Matching Packets

http contains "jpg"

http matches "\.(?i)jpg"

[Note there are no spaces between brackets.]

Why did a different number of packets match each filter?

_______________________________________________________________

_______________________________________________________________

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 129
Wireshark University (www.wiresharktraining.com)

Step 3 To improve your speed in applying these filters, you will now save them as
Filter Expression Buttons.

Type http matches "\.(?i)jpg" in the filter in the display filter area
and click Save . Name your Filter Expression Button httpjpg.

How could you improve your HTTP Download .exe coloring rule (created
during Lab 4: Find, Mark, Save and Colorize Packets on Page 69) using this
filtering string technique?

Current Filter String:

http.request.uri contains ".exe"

Suggested New Filter String:

_______________________________________________________________

Video Tutorial: wiresharku_lab8.mp4

The video_tutorial directory of your student DVD contains a video showing the
steps related to this lab exercise.

Page 130 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]
 Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 9: Use Tshark to Capture Traffic To/From Other Hosts on the Network
Overview You have some concern about the behavior of the network switch. You know
what traffic should be forwarded down your port and what traffic should not be
forwarded. You decide to quickly check on the switch by capturing all the traffic
coming down your network cable while filtering out your own traffic.
In Lab 1, you wrote down your local MAC address. You will use that information
in this lab as well.
We recommend that you add the Wireshark program directory to your path to
run command-line tools from within any directory. For example, on a Windows 7
host, follow these steps to add Wireshark to your path:
1. Click Start | right-click on Computer | Properties | Advanced System
Settings | Environment Variables...
2. In the System variables section scroll down and select Path and click Edit...
3. At the end of the Variable value section, add the full path to your Wireshark
program file directory as shown below.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 141
Wireshark University (www.wiresharktraining.com)

Lab Steps

Step 1 Open the command prompt.

Step 2 If you have placed the Wireshark program directory in your path, navigate into
your traces-class directory created in Lab 1.

Step 3 Type tshark –D to locate the interface number for your Ethernet adapter as
shown below. In this lab, we will refer to this adapter number as simply “#”. You
will use the Tshark –i parameter to define which adapter you will use for
capture.

Step 4 During your capture you will save the traffic to a file and only capture a quick
view of the traffic (3 minutes). You will also define that you want to see the
packets as they are captured using the –P parameter. You will use a capture
filter to indicate you don’t want to capture your own traffic.
Type tshark -i# -f ”not ether host xx:xx:xx:xx:xx:xx”
-a duration:180 -w othertraffic.pcapng -P and press Enter.

Step 5 Generate some traffic by pinging some hosts or browsing some web sites.

Step 6 Now launch Wireshark and open the trace file you just created.
Select Statistics | Endpoints. Ensure that Name resolution is disabled in this
window.

Page 142 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]
 Wireshark University (www.wiresharktraining.com)

Step 7 You should not see your Ethernet interface listed in the Endpoints window if
your capture filter is performing properly. In addition, you should not be able to
see other hosts communicating directly with each other if the switch is
performing properly.

Video Tutorial: wiresharku_lab9.mp4

The video_tutorial directory of your student DVD contains a video showing the
steps related to this lab exercise.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 143
 Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 10: Split a Large Trace File Based on Time-Per-File and Merge Trace
Files
Overview You have been given a large trace file that takes too long to load into
Wireshark. You’ve decided to split the trace file into separate trace files. As
practice, you will also merge the trace files afterwards.
Trace Files lab-research.pcapng

Lab Steps

Step 1 Return to the command prompt and navigate to your course

trace_files-pcapng folder.
Step 2 Type capinfos lab-research.pcapng and press Enter.

What is the capture duration of this trace file? ______________ seconds

Step 3 You want to split this trace file into four trace files covering a similar duration in
seconds in each file. Each of the new files should begin with the name
researchset.
You will use Editcap to split the one file into four files.
[Type editcap –h if you need a hint on the syntax and parameters available.]

What command did you use to split the file?

_______________________________________________________________

Step 4 Type capinfos researchset*.pcapng and press Enter.

What is the capture duration of each of the

trace files? ______________ seconds

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 145
Wireshark University (www.wiresharktraining.com)

Step 5 Now let’s work with this file set. Launch Wireshark and open any one of your
researchset*.pcapng files. Next, select File | File Set | List Files. A new file
set window appears. Simply click on the file that you want to load from the File
List.

Step 6 Toggle back to the command prompt. Let’s practice merging the files of the file
set into a single new file called researchmerged.pcapng.
You will use Mergecap to perform this operation.
[Type mergecap –h if you need a hint on the syntax and parameters
available.]

Type mergecap –w researchmerged.pcapng researchset*.* and

press Enter.

What is the size of your researchmerged.pcapng file? ______________ bytes

Video Tutorial: wiresharku_lab10.mp4

The video_tutorial directory of your student DVD contains a video showing the
steps related to this lab exercise.
.

Page 146 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]
 Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 11: Create a Coloring Rule to Detect DNS Error Responses and
Suspicious DNS Responses
Overview You want your Troubleshooting profile to speed up the troubleshooting process.
DNS errors do not have an Expert notification or any special coloring—you will
change that in this lab by building two coloring rules.
Trace Files lab-dns-errors-partial.pcapng;
lab-sec-sickclient.pcapng

Lab Steps

Step 1 Open Wireshark. Ensure you are working in your Troubleshooting profile.
Step 2 First we are interested in catching DNS errors quickly. We want to build a new
coloring rule for any packets that contain a DNS error response.
Open lab-dns-errors-partial.pcapng.
Step 3 You can see a number of DNS server failures in this trace file. Select Packet 5
and right click the Domain Name System (response) line in the Packet
Details pane. Select Expand Subtrees.
Notice the Reply Code field value of 0010 (or decimal 2) which indicates a DNS
server failure. We will look for any response packets that contain a value
greater than zero.
Step 4 Right click the Reply Code field and select Colorize with Filter | New
Coloring Rule. You will need to edit the String value when building this coloring
rule. Use the following setting for this coloring rule.
Name: T-DNS Error Responses
String: dns.flags.rcode > 0
Foreground Color: Black (#000000)
Background Color: Orange (#FFA500)

Place this coloring rule just above the UDP coloring rule and click OK.
Did your coloring rule work as expected? If not, review your rule again to
ensure there are no mistakes in the string and that the coloring rule is placed
above the UDP coloring rule.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 171
Wireshark University (www.wiresharktraining.com)

Step 5 Now we are ready to create a coloring rule to detect unusual DNS responses.
There can be numerous interesting indications that a host may be infected by a
bot. You might see an infected host communicating using IRC or
communicating with an unusual number of other hosts if the bot attempts to
infect other hosts on the network.
Another indication is seen in DNS. The bot may send a DNS query when it
needs to discover a current Command and Control (C&C) server. The DNS
response can be quite unique offering numerous IP addresses that do not seem
related. These disparate IP addresses may contain a list of C&C servers on the
Internet.
Your coloring rule will detect these DNS responses with a high number of IP
addresses.
In dns-errors-partial.pcapng, right-click on the Answer RRs line in Packet 5 as
shown below. Select Colorize with Filter | New Coloring Rule. We want our
coloring rule to identify DNS responses that have a value larger than 10 in this
field.

Page 172 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]
 Wireshark University (www.wiresharktraining.com)

Step 6 Configure your new coloring rule with the following characteristics:
Name: S-DNS Suspicious (High DNS Response Count)
String: dns.count.answers > 10
Foreground Color: Black (#000000)
Background Color: Orange3 (#CD8500)

Move this coloring rule above your T-DNS Error Responses coloring rule and
click OK.
Step 7 Open lab-sec-sickclient.pcapng. Did any packets meet your new coloring
rule?
If so, examine the packets and note the IP addresses contained therein. Do
they have any relationship (e.g., within one network address range)?

You’ve now created new coloring rules to help you locate DNS errors and potential indications
of a bot-infected host and C&C servers.

Video Tutorial: wiresharku_lab11.mp4

The video_tutorial directory of your student DVD contains a video showing the
steps related to this lab exercise.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 173
 Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 12: Analyze a Network Problem Indicated by ARP
Overview One of the network users is complaining about email problems. The user, Fred
(at IP address 10.1.0.1), is trying to connect to the SMTP server at 10.2.23.11.
As part of the troubleshooting process, another IT staff member loaded
Wireshark on Fred’s machine and took a trace of Fred pinging another host on
the network and then making an FTP connection to another host. The IT
professional wanted to show you that Fred’s machine can’t possibly be the
cause of the problem as these two tasks were completed successfully.
The IT staff member told Fred to try connecting to the SMTP server and it just
didn’t work. The email program appears to lock up whenever Fred tries to send
email.
Trace Files lab-smtp-prob.pcapng

Lab Steps

Step 1 Open lab-smtp-prob.pcapng in Wireshark. Ensure you are working in your

Troubleshooting profile.
Step 2 Take a moment and look throught the trace file.
Packets 3-10 Sample ping process – successful
Packets 11-33 Sample FTP process – successful
Step 3 What happened when Fred’s machine tried to reach the SMTP server at
10.2.23.11? What might have caused the problem in communicating with the
SMTP server?

_______________________________________________________________

_______________________________________________________________

_______________________________________________________________

Video Tutorial: wiresharku-lab12.mp4

The video_tutorial directory of your student DVD contains a video showing the
steps related to this lab exercise.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 183
 Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 13: Filter on a Range of IPv4 Addresses
Overview At some point you will likely deal with trace files that contain hundreds or
thousands of IP conversations. In this hands-on lab you practice extracting
separate IP conversations.
Reminder: To filter on any source/destination IPv4 address beginning with
10.2, use the display filter ip.addr==10.2.0.0/16.
Trace File lab-throughput.pcapng

Lab Steps

Step 1 Open lab-throughput.pcapng in Wireshark. Ensure you are working with your
Troubleshooting profile.
Step 2 Use your knowledge of the TCP/IP communications process to identify the IP
addresses associated with newsrss.bbc.co.uk.

newsrss.bbc.co.uk IP Address #1: __________________________________

newsrss.bbc.co.uk IP Address #2: __________________________________

Step 3 You will first create an inclusion display filter to show traffic to and from this host
based on the IPv4 addresses resolved for that host name.

In the display filter area, enter ip.addr==x.x.x.x/24 substituting x.x.x.x for

the IP address you discovered for newsrss.bbc.co.uk. Using /24, you are
looking for any traffic to or from an IPv4 address beginning with a specific 3-
byte value.

How many packets matched your filter? ______________________________

Note that another host name, feeds.bbci.co.uk, is associated with that same IP
address.

Step 4 Now apply a filter excluding traffic to and from the IPv4 address range you
defined in Step 3.

How many packets matched your filter? ______________________________

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 199
Wireshark University (www.wiresharktraining.com)

Step 5 Can you define a display filter that would display all traffic to and from the IPv4
address range you used in Step 3 and include the DNS queries/responses
relating to newsrss.bbc.co.uk?

You will need to add to your IPv4 inclusion filter created in Step 3. Look inside
the DNS packets for the dns.qry.name field. You can use the right-click
filtering technique to add “||” with the DNS field value of interest.

Write your display filter below.

_______________________________________________________________

Video Tutorial: wiresharku-lab13.mp4

The video_tutorial directory of your student DVD contains a video showing the
steps related to this lab exercise.

Page 200 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]
 Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 14: Detect Suspicious Traffic with a New ICMP Coloring Rule
Overview ICMP can be used for numerous purposes—from connectivity tests through
ICMP Echo Requests/Replies to UDP-based service refusals with ICMP
Destination Unreachable/Port Unreachables.
ICMP can also be used to discover the operating system on a target. This
process is called ICMP-based OS fingerprinting. This is not the type of traffic
you want to see on your network.
ICMP-based OS fingerprinting uses ICMP types 13, 15 and 17.
In this lab you will make a special coloring rule to detect ICMP-based OS
fingerprinting.
Trace Files lab-sec-nst-osfingerprint.pcapng;
lab-sec-nessus.pcapng

Lab Steps

Step 1 Open lab-sec-nst-osfingerprint.pcapng in Wireshark. Ensure you are working

with your Troubleshooting profile.
Step 2 In order to build this coloring rule you must know the syntax of the ICMP type
field and you must use the ‘or’ operator in your string.

You can simply click on the Type field in a packet and view the Status Bar to
learn the syntax or use Wireshark’s autocomplete feature to guess at the
syntax.

You should be very familiar with creating coloring rules by this point so we’ll just
let you have some time to create a new coloring rule that will detect ICMP types
13, 15 or 17 in your trace files.

Step 3 Configure your new coloring rule with the following name and coloring scheme:

Name: S-ICMP OS Fingerprinting

String: [enter your string]
Foreground Color: Black (#000000)
Background Color: Orange3 (#CD8500)

Where should you place this rule in the coloring rule list?

_______________________________________________________________

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 211
Wireshark University (www.wiresharktraining.com)

Step 4 Test your coloring rule on lab-sec-nst-osfingerprint.pcapng and

lab-sec-nessus.pcapng.

HOT TIP
Host firewalls might block inbound packets, but respond with ICMP Destination
Unreachable/Port Unreachable packets with a TCP header embedded in them.
This is a good coloring rule to create to detect host firewalls talking on the network.

Name: S-Possible Firewall Detected

String: icmp && tcp
Foreground Color: Black (#000000)
Background Color: Orange3 (#CD8500)

Where should this coloring rule be placed?

Video Tutorial: wiresharku-lab14.mp4

The video_tutorial directory of your student DVD contains a video showing the
steps related to this lab exercise.

Page 212 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]
 Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 15: Analyze UDP-based Multicast Streams and Queuing Delays
Overview In this lab you will analyze a video multicast stream and note the indications of
queuing along a path. In addition, you will compare indications of queuing to
indications of packet loss.
Trace File lab-udp-mcaststream-queued2.pcapng;
lab-udp-mcaststream-queued3.pcapng

Lab Steps

Step 1 Open lab-udp-mcaststream-queued2.pcapng in Wireshark. Ensure you are

working with your Troubleshooting profile.
Step 2 Create an IO Graph of the traffic to examine the overall flow of communications.
You will need to adjust the X axis to look more closely at the relatively steady
rate of the multicast stream.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 223
Wireshark University (www.wiresharktraining.com)

Queuing delays are noted as a sudden drop then jump above the average rate
line in the IO graph.

Step 3 Open lab-udp-mcaststream-queued3.pcapng .Create an IO Graph of the

traffic to examine the overall flow of communications. This trace file depicts the
same multicast stream experiencing packet loss.

How would you differentiate queuing delays from packet loss along a path?

_______________________________________________________________

_______________________________________________________________

_______________________________________________________________

Video Tutorial: wiresharku-lab15.mp4

The video_tutorial directory of your student DVD contains a video showing the
steps related to this lab exercise.

Page 224 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]
 Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 16: Alter Coloring of Window Update Packets
Overview Although Wireshark classifies Windows Update packets with the
tcp.analysis.flags filter set, it is excluded in the Bad TCP coloring rule
(tcp.analysis.flags && !tcp.analysis.window_update). In this lab
you color these Window Updates with a dark green background simply to
identify them faster.
Trace File lab-http-download-good.pcapng

Lab Steps

Step 1 Open lab-http-download-good.pcapng in Wireshark. Ensure you are working

in your Troubleshooting profile.
Step 2 Packet 11 is a TCP Window Update packet. Fully expand the [SEQ/ACK
Analysis] section at the end of the TCP header to see the Expert Information
details. We will use tcp.analysis.window_update for this coloring rule.

Step 3 Right-click on the [This is a tcp window update] line and select Colorize with
Filter | New Coloring Rule. Use the following setting for this coloring rule.

Name: N-TCP Window Update

String: tcp.analysis.window_update
Foreground Color: White (#FFFFFF)
Background Color: Dark green (#006400)

Place this coloring rule above the Bad TCP coloring rule and click OK.
Review your trace file to determine if your new coloring rule has affected the
Packet List pane.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 257
Wireshark University (www.wiresharktraining.com)

In the next lab you will examine this trace file further to identify the cause of
performance problems.

Video Tutorial: wiresharku-lab16.mp4

The video_tutorial directory of your student DVD contains a video showing the
steps related to this lab exercise.

Page 258 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]
 Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 17: Use TCP Timestamps and New Coloring Rules to Locate TCP
Performance Issues and Questionable Window Sizes
Overview You have two complaints relating to network traffic issues. In both cases, the
users complain that file transfer times are unacceptable. Your local IT staff
members have sent you two trace files to analyze.
It’s easy to get wrapped up in the basic “ugliness” of network communications.
In many cases protocols, applications and implementations are designed with
little forethought of how they work on a network.
It is imperative that you do not get distracted by ugly behavior that cannot be
changed. You must identify the key points of performance problems and focus
on those areas first. Always “find the location of performance issues” first.
In this lab you will use an IO graph to focus your troubleshooting efforts.
Trace File lab-http-download-good.pcapng
lab-http-browse-ok.pcapng

Lab Steps

Step 1 Open lab-http-download-good.pcapng in Wireshark. Ensure you are working

in your Troubleshooting profile.
Step 2 Select Statistics | IO Graph to locate problem areas in the trace file. You will
find two points where the throughput drops significantly.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 259
Wireshark University (www.wiresharktraining.com)

Step 3 Let’s begin with the first problem. Click on the IO graph near the lowest point
in throughput (point 1 in the image on the previous page). Wireshark will
highlight the packet plotted in that same area. Toggle to Wireshark’s main
window.
Step 4 Since we are troubleshooting a TCP issue, we should watch TCP Delta
timestamps and the Calculated Window Size fields. You should already have a
TCP Delta column configured.5
To create a Calculated Window Size column, expand any TCP header and
right-click on the Calculated Window Size field then choose Apply as
Column. Rename this column “WinSize” and align the column to the left.
Step 5 At the first low point in the IO graph it appears we have a sudden delay of
2.753091 seconds.
Which host injected delay into this download process?

_______________________________________________________________

_______________________________________________________________

What might be causing this issue?

_______________________________________________________________

_______________________________________________________________

5
If you do not have a TCP Delta column, expand the TCP header and the [Timestamps] section
of any packet selected. Right-click on the Time since previous frame in this TCP stream field
and choose Apply as Column. [Rename the column TCP Delta.]

Page 260 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]
 Wireshark University (www.wiresharktraining.com)

Step 6 Now let’s look at the second throughput issue in this trace file. Toggle back to
the IO Graph and click on the second sudden drop in throughput (point 2 in the
image on the previous page). Toggle back to Wireshark. What does
Wireshark’s Expert indicate is happening at this point in the trace file?
_______________________________________________________________

_______________________________________________________________

What typically causes this type of problem?

_______________________________________________________________

_______________________________________________________________

What might be your next step in identifying the cause of this issue?

_______________________________________________________________

_______________________________________________________________

Step 7 We already created a coloring rule for TCP Delays in Lab 5. Now you will create
another coloring rule to detect low window sizes that may affect performance.

Name: T-TCP Low Window Size

String: tcp.window_size < 1300
Foreground Color: Black (#000000)
Background Color: Orange (#FFA500)

Move this coloring rule above the Bad TCP coloring rule and click OK.
Did this coloring rule help spot one of the issues in this trace file? Explain.

_______________________________________________________________

_______________________________________________________________

_______________________________________________________________

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 261
Wireshark University (www.wiresharktraining.com)

Step 8 There is a problem with the basic coloring rule you just created, however.

Open lab-http-browse-ok.pcapng and examine Packet 13. What coloring rule

did this packet match?

Expand the Frame section of Packet 13 and right-click on the Coloring Rule
Name line and select Apply as Column. This makes it very easy to identify
why packets are colored a certain way as shown in the image below.

Problem #1: FIN and RST packets may have a low or zero window size value,
but that is acceptable. We do not want these false positives.

Problem #2: Our actual Window Zero packets will show up with an orange
background when we might prefer to leave those with the black
background/red foreground of the Bad TCP coloring rule.

Step 9 We need to enhance our coloring rule so it does not highlight TCP FIN or RST
packets or packets with a TCP window size of zero. Edit your T-TCP Low
Window Size coloring rule string as follows.

String: (tcp.window_size < 1300 && tcp.window_size > 0)

&& (tcp.flags.fin ==0 && tcp.flags.reset==0)
&& !tcp.window_size_scalefactor == -1

Page 262 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]
 Wireshark University (www.wiresharktraining.com)

This change should alter the coloring on your trace file. TCP Resets should not
be affected by the T-TCP Delays coloring rule.

The value !tcp.window_size_scalefactor == -1 indicates we are

interested in the Window Size information when the scale factor is known (we
captured the handshake packets).

Video Tutorial: wiresharku-lab17.mp4

The video_tutorial directory of your student DVD contains a video showing the
steps related to this lab exercise.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 263
 Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 18: Determine Who is at Fault: Working with Multiple Trace Files
Overview A customer has received complaints about performance of their company
webserver from many users on the network. They have decided to set up a test
suite to send numerous requests to get trace files with Wireshark.
The user’s traffic must travel through a network address translation-capable
firewall and a load balancer on the way to/from the web server as shown in the
image below. Note the source IP address change on each side of the NAT.
The customer has provided you with three trace files—one taken at a user
system, one taken from a switch on the other side of the NAT/firewall device
and a third taken at the web server.
The test script runs a series of back-to-back requests for files. As soon as one
file is received, the script requests the next file.
Trace Files lab-tcp-problem-pointA.pcapng;
lab-tcp-problem-pointB.pcapng;
lab-tcp-problem-pointC.pcapng

Multipoint Capture Layout

lab-tcp-problem-pointA.pcapng lab-tcp-problem-pointC.pcapng

10.3.8.209

NAT/Firewall Load Balancer

10.3.8.109

10.0.61.179

Mike lab-tcp-problem-pointB.pcapng
10.10.10.1

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 265
Wireshark University (www.wiresharktraining.com)

Lab Steps

It’s time to let you work on this without step-by-step instructions.

Your instructor may put you together in groups to work on this trace file set.

Here are some hints for analyzing this problem:

x Create an IO graph to determine if there are sudden drops in throughput

x Examine the Expert Errors, Warnings and Notes
x Examine the handshake(s) to define TCP capabilities
x Use time to identify delays
x Consider adding columns to help isolate issues and understand packet
coloring

Where is the delay seen in this scripted test?

_______________________________________________________________

What is the cause of the delays?

_______________________________________________________________

What would you recommend to solve this problem?

_______________________________________________________________

Video Tutorial: wiresharku-lab18.mp4

The video_tutorial directory of your student DVD contains a video showing the
steps related to this lab exercise.

Page 266 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]
 Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 19: Determine the Cause of Slow File Downloads
Overview One of your IT buddies has decided they should learn to use Wireshark.
Interestingly, they are complaining to you about the download process. They
think there must be some network problem.
You decide to capture a trace file of the download process to see what is going
on. As you perform your analysis, you explain to your colleague how you are
locating the cause of poor performance.
Trace File lab-slowdownload.pcapng

Lab Steps

Again you will work on this without step-by-step instructions.

Your instructor may put you together in groups to work on this trace file set.

Here are some hints for analyzing this problem:

x Examine the Expert Errors, Warnings and Notes

x Examine the handshake(s) to define TCP capabilities
x Use time to identify delays
x Consider adding columns to help isolate issues and understand packet
coloring
x Watch the interwoven streams – consider making a column for the TCP
Stream Index value

What file is your buddy trying to download?

_______________________________________________________________

_______________________________________________________________

_______________________________________________________________

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 267
Wireshark University (www.wiresharktraining.com)

Do you see packet loss, high path latency, high server latency, address
resolution problems or other problems in the trace file?

_______________________________________________________________

_______________________________________________________________

_______________________________________________________________

Video Tutorial: wiresharku-lab19.mp4

The video_tutorial directory of your student DVD contains a video showing the
steps related to this lab exercise.

Page 268 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]
 Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 20: Use TCP Graphs to Detect the Cause of Performance Problems
Overview You’ve been hired to evaluate the file upload performance by a clothing design
and distribution company. The design team has been complaining of poor
performance while uploading files that contain their fabric samples. They state
that the upload process is taking much longer than it used to. In the past, they
could upload their files in just a few minutes – now it seems it is taking twice as
long.
Trace File lab-httpsupload.pcapng

Lab Steps

Step 1 Open lab-httpsupload.pcapng. Ensure you are using your Troubleshooting

profile.
Step 2 With Packet 1 highlighted, select Statistics | TCP Stream Graphs | Round
Trip Time Graph.

What is the highest RTT value plotted in the graph?

_______________________________________________________________

If you click on any plot point at the slow RTT moments and toggle back to
Wireshark, can you see a relationship between network problems and the RTT
value?
_______________________________________________________________

Step 3 Close the RTT graph and select Statistics | IO Graph. Click on the Y Axis
dropdown (arrow) and select Advanced. The Advanced IO Graph will be blank
to begin.
Configure Graph 1 and Graph 2 as follows:
Graph 1: Filter: None
Calc: SUM(*) tcp.len
Graph 2: Filter: None
Calc: COUNT frames(*) tcp.analysis.flags
Click the Graph 1 and Graph 2 buttons to plot these two elements in the
graph.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 285
Wireshark University (www.wiresharktraining.com)

Your results may be a bit underwhelming as shown in the image below. This is
due to the large difference in values that are being plotted—the TCP payload
amount vs. the number of TCP analysis flags.

Step 4 In the Y Axis Scale area, select Logarithmic. Set the Tick interval to .1
seconds. The image below shows what your Advanced IO Graph settings
should look like.

Scroll through the graph from left to right to look for any large drops in TCP
throughput (the Graph 1 line).

Page 286 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]
 Wireshark University (www.wiresharktraining.com)

Are there a higher than usual number of TCP Analysis Flags at those low
throughput points (tcp.len) in the communications?

_______________________________________________________________

Step 5 Set your Y Axis scale to Auto and disable Graph 1 and Graph 2.
Step 6 Set Graph 1 CALC to MAX(*) tcp.time_delta. Change your Tick interval
back to 1 second.
How many times did you notice the delta time jump to almost 10 seconds?

_______________________________________________________________

Step 7 Click on any of the high plot points in your graph and toggle to Wireshark.
What host is delaying the file upload process (the sending client or the receiving
server)?

_______________________________________________________________

What step do you recommend next in this troubleshooting process?

_______________________________________________________________

_______________________________________________________________

_______________________________________________________________

Video Tutorial: wiresharku-lab20.mp4

The video_tutorial directory of your student DVD contains a video showing the
steps related to this lab exercise.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 287
 Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 21: Create a Coloring Rule for HTTP Error Responses
Overview Again you want to customize Wireshark to troubleshoot more efficiently.
In this lab you will create a coloring rule to detect any HTTP client or
server error response codes.
Trace File lab-http-chappellu2012.pcapng

Lab Steps

Step 1 Open lab-http-chappellu2012.pcapng. Ensure you are using your

Troubleshooting profile.
Make sure the TCP preference Allow subdissector to reassemble
streams is disabled.
Step 2 Select Packet 9 and expand the HTTP subtrees in the Packet Detail
pane.
Step 3 Click on the Status Code field. Note the name of this field (shown in the
Wireshark Status Bar).

HTTP Response Code field name: ___________________________

Now that you’ve created a few coloring rules in this course, we won’t walk
you through the process step-by-step.

Step 4 Create a troubleshooting coloring rule to detect any HTTP server

response codes greater than 399. Name your new rule T-HTTP Error
Responses.
Step 5 Test your coloring rule on http-chappellu.2012.pcapng. If your coloring
rule is configured properly, four packets should match your coloring rule.
Consider enhancing your coloring rule to detect HTTP redirections.

Video Tutorial: wiresharku-lab21.mp4

The video_tutorial directory of your student DVD contains a video showing
the steps related to this lab exercise.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 299
 Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 22: Export an HTTP Object
Overview This simple lab gives you practice exporting a single HTTP object from a
web browsing session.
Trace File lab-http-chappellu2012.pcapng

Lab Steps

Step 1 Open lab-http-chappellu2012.pcapng. Ensure you are using your

Troubleshooting profile.
Make sure the TCP preference Allow subdissector to reassemble
streams is enabled to perform reassembly of HTTP objects.
Step 2 Now you will reassemble one of the graphics in the HTTP browsing
session. Select File | Export Objects | HTTP.
Wireshark lists all the HTTP objects seen in the trace file.
In addition, Wireshark shows the first packet number of each individual
file listed.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 301
Wireshark University (www.wiresharktraining.com)

Step 3 Select the object called header_bg.jpg and click Save As. Wireshark
places the original file name in the Name field.

Navigate to your trace file directory and click Create Folder. Name your
folder exports. Click Save.

Step 4 Examine the object you exported. It should look like the image below.

Video Tutorial: wiresharku-lab22.mp4

The video_tutorial directory of your student DVD contains a video showing
the steps related to this lab exercise.

Page 302 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]
 Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 23: Decrypt HTTPS Communications
Overview In this lab you will practice decrypting HTTPS communications using an
RSA key (provided).
Trace File lab-rsasnakeoil2.pcapng

Key File rsasnakeoil2.key

Lab Steps

Step 1 Ensure you are working in your Troubleshooting profile.

Step 2 Create a directory called key on your local system. Copy
rsasnakeoil2.key into that directory.
Step 3 Open lab-rsasnakeoil2.pcapng in Wireshark. Ensure you are using your
Troubleshooting profile.

Step 4 Click on the Preferences button and select Protocols | SSL.

Step 5 Click the Edit button next to RSA Keys list. Fill out the key information
as shown below. Then click OK twice to close this window and the SSL
Decrypt window.

You may need to refresh or reload your trace file to see the unencrypted
HTTP communications.

Video Tutorial: wiresharku-lab23.mp4

The video_tutorial directory of your student DVD contains a video showing
the steps related to this lab exercise.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 313
 Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 24: Analyze FTP Problems
Overview In this lab you will practice analyzing problems that occurred during an
FTP file upload process from a local client to a server on the Internet. In
this trace file you will find evidence of throughput rate limiting – the ISP
serving the FTP client has implemented a cap on the bits per second
upload rate. This will be evident when you create an IO Graph in this lab.
Trace File lab-ftp-ioupload-partial.pcapng

Lab Steps

Step 1 Open lab-ftp-ioupload-partial.pcapng in Wireshark. Ensure you are

using your Troubleshooting profile.
Step 2 Examine the TCP handshake process and answer the following
questions:

What TCP options does the FTP client support for this connection?

__________________________________________________________

What TCP options does the FTP server support for this connection?

__________________________________________________________

What desired TCP options won’t be supported on this connection?

__________________________________________________________

What is the round trip wire latency between the FTP client and server?

__________________________________________________________

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 325
Wireshark University (www.wiresharktraining.com)

Step 3 Open the Expert Info window. What problems are noted in the Expert?

__________________________________________________________

Step 4 Create an IO Graph based on the traffic. What problems are consistently
highlighted when you click on the low throughput areas of the graph?

__________________________________________________________

Set the Y axis scale to logarithmic and add the following graph lines to
the IO Graph in the Graph 2 and 3 areas:
TCP retransmissions
TCP duplicate ACKs

What is the relationship between these two elements and throughput

issues?

__________________________________________________________

__________________________________________________________

__________________________________________________________

Step 5 What is the most likely cause of problems in this FTP upload?

__________________________________________________________

__________________________________________________________

__________________________________________________________

Video Tutorial: wiresharku-lab24.mp4

The video_tutorial directory of your student DVD contains a video showing
the steps related to this lab exercise.

Page 326 Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003]
 Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 25: Test Your Skills #1
Overview The customer complains that file transfers are extremely slow.
Trace File lab-testyourskills1.pcapng

Lab Steps

Use your Wireshark skills to identify the potential problem in this file transfer process.
Note your findings and recommended next steps below.

Video Tutorial: wiresharku-lab25.mp4

The video_tutorial directory of your student DVD contains a video showing
the steps related to this lab exercise.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 341
 Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 26: Test Your Skills #2
Overview It’s a Saturday morning and you have received a call from the CEO of a
company (he works weekends). He complains that he cannot browse the
Internet today. You have set up a remote Wireshark system enabling you
to capture his traffic.
Trace File lab-testyourskills2.pcapng

Lab Steps

Use your Wireshark skills to identify the potential problem in this Internet access
process. Note your findings and recommended next steps below.

Video Tutorial: wiresharku-lab26.mp4

The video_tutorial directory of your student DVD contains a video showing
the steps related to this lab exercise.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 343
 Wireshark University (www.wiresharktraining.com)

Hands-On Lab
Lab 27: Test Your Skills #3
Overview The customer complains that file uploads from the branch office to the
corporate headquarters are suddenly taking way too long. They have
captured a sample upload at the branch office (client location) and at the
headquarters location (server).
Trace File lab-testyourskills3client.pcapng;
lab-testyourskills3server.pcapng

Lab Steps

Use your Wireshark skills to identify the potential problem in this file upload process.
Note your findings and recommended next steps below.

Video Tutorial: wiresharku-lab27.mp4

The video_tutorial directory of your student DVD contains a video showing
the steps related to this lab exercise.

Troubleshooting TCP/IP Networks with Wireshark® Student Manual [9879C-003] Page 345