Wireshark and the Art of Debugging Networks
My first ever LISA session proved to be a gentle transition into what promises to be an intense week. I attended “Wireshark and the Art of Debugging Networks“, a half-day course taught by Gerald Carter. Wireshark is a powerful tool for *nix, Windows, and Mac OS X for capturing and analyzing network traffic. Of course, there’s more to the topic than can be put into a four-hour session, but Gerald’s course provided an excellent introduction for admins who haven’t used Wireshark, or who have forgotten most of what they knew.
The basic premise of this course is that application logs can be misleading, but the network never lies. By analyzing network traffic, many confusing issues can become clear. Of course, the first step is finding the relevant information. On a busy system, the important packets can easily become lost, so filtering is key. Wireshark supports filtering on both capture and display, but it’s generally advisable to do as little filtering on capture as you can get away with, since it’s impossible to widen the net once the traffic has gone by.
Wireshark supports filtering on protocol, address, port and many other options which can be combined to yield exactly the data needed. There are also options to colorize the display to draw attention to certain packets. The default color settings are perhaps too aggressive, though. As Gerald said several times, “if you’re coloring everything, you might as well color nothing.”
I can tell by the Twitter stream that I’m not the only person who came away with some new knowledge. @Jayofdoom noted that “using wireshark to determine throughput…is possible, but I had never thought of it. So much info can be derived from pcap files.” @spkane said “ Analyze->Follow TCP Stream is a nice way to rebuild cleartext sessions like IRC, FTP command channels, etc.”
Gerald also gave an overview of common network services in the afternoon session, which concludes his LISA ’10 schedule. He’s been around for a few years, though, so he’ll likely return for LISA ’11 in Boston if you beg enough. You can follow Gerald Carter on Twitter at @coffeedude_j.
