Getting Started With Wireshark - Unadulterated Nerdery

You already know from my post about the WCNA course that I’m a fan of Wireshark. What you might not have guessed was that prior to the course, navigating Wireshark was a difficult and tedious process for me. I knew what I was looking at, but I did not know just how flexible the tool is. My hope is this post will make Wireshark seem a bit more accessible for you and that you will choose to use Wireshark for your troubleshooting needs.

Before we can start tailoring the tool to your needs, we need to identify what those needs are. For instance, if you are troubleshooting a VoIP problem, your setup would be completely different than if troubleshooting a TCP problem. Sometimes you won’t know where to start and the generic Wireshark profile will do if you just don’t know.

For a hypothetical case for this blog, one IP phone has poor call quality, while all other phones are functioning normally. If I was going about trouble-shooting this, I would want to eliminate all the unnecessary distractions from packets other than my problem IP phone. We will accomplish this with a display filter.

You could go up to the box you see above and type in the command syntax for this, but do you have the syntax memorized? If you do this on a daily basis, probably. What if Wireshark is a tool that is only taken out when there is a problem you can’t solve any other way? For anyone other than a daily user, I would recommend digging into your headers and looking for the field you would like to have filtered and right click. It should look like this:

In the case above, I highlighted the source IP address field and right clicked. By “applying as filter”, Wireshark will display the syntax for you. Even if that does not completely fit the bill, you are much closer than you were before. In my case, here is what the right-click “apply as filter” resulted in:

This is a good start, but a VoIP call is actually two distinct streams. One of the sources will be your phone’s IP, but your phones IP will also be the destination of the other stream, so with this filter we are missing half of the puzzle. Instead of “ip.src”, we want to see that IP address regardless of whether it is the source or the destination. To do this, simply click in the filter field and erase the “src” portion. Wireshark will suggest other options for you, and you should be able to figure it out from there. If not, you can always turn to your good buddy google. Here is that I came up with:

This will filter all of your packets to include packets with either the source or destination IP address of your choosing. Now that we have been able to isolate the phone’s IP address, we can start looking at the problem. When I am looking at VoIP packets, one of the first things I look at is the DSCP (Differentiated Services Code Point, commonly referred to as QoS marking) field value. If you wanted to, you could look for this field in every packet manually. Another option would be to have Wireshark find and display it for you. You accomplish this by “applying as a column”. This is one of the places where things can get a bit tricky.

In the above graphic, I have highlighted the incorrect field (in blue). It appears to be correct, as I do want to see the value for the “Differentiated Services Field”, but what I have highlighted above is not that value (it is Wireshark’s interpretation). What you want to display as a column is the actual value for the DSCP field, which I have correctly highlighted below.

After you have highlighted and right-clicked the proper field, you can apply this value as a column (see above graphic). By applying the DSCP field as a column, you can now see without digging into the individual packets how they are being marked. You can tell from the above packet that it possesses the default marking of 0. Voice packets should (depending on your QoS scheme) be marked EF (Expedited Forwarding). This could explain our quality problem with this particular phone.

While certainly not all encompassing, this post covered how to easily configure a display filter without knowing the filter syntax and how to apply frequently sought after data as an easily accessible column.

Aaron Bauman says:

February 25, 2013 at 5:22 pm

Great article as always! My next adventure will certainly be in Wireshark and this boosted my confidence level in using because it is one of those tools that you only pull out when things get bad. I definitely agree this will become very useful in the voice world as well. Thanks for the great article.

Prabakaran says:

May 21, 2013 at 11:59 am

This article was fantastic. It’s definitely pushed me to learn more about that tool. Keep posting more about wireshark articles.

John says:

May 28, 2013 at 9:01 pm

Thanks for the feedback! I’ll be sure to continue the Wireshark posts. It is a wonderful tool.

Leave a Reply Cancel reply