Network slowdowns can be a real headache for network administrators but properly using tools that are available for free like wireshark we can track these issue down much easier. Wireshark is a free tool called a protocol analyzer and is available at www.wireshark.org. Protocol analyzers capture network traffic and puts in into a readable format that can then be inspected by a network administrator.

First lets go to www.wireshark.org and download the program. At the time of this article the file to download is “wireshark-setup-1.0.5.exe”. Now that we have downloaded the program and installed it lets get right into setting it up and using it.

Now I am going to get on a little side note and give a quick explanation between a switch and a hub which is very relevant to this article. A hub is a piece of networking equipment that connects multiple computers together in a network. When one computer sends network traffic onto a network connected with a hub the traffic is copied out every port on the switch except the port it came in one. So the example computer A, B, C, and D are connected to ports 1, 2, 3, and 4 respectively and computer A sends traffic to computer C. The traffic from computer A is sent in on port 1 and the traffic is copied and sent out ports 2, 3, and 4. Computer B receives the traffic realizes it is not for him so he drops it, computer C receives the traffic sees that it is for him and he processes it, computer D receives the traffic and realizes it is not for him and drops it. Now a switch works a little differently and more efficiently than a hub. A switch listens to the traffic going across it and keeps track of which computer is connected to which port. So when computer B sends traffic to computer D through a switch computer A and computer C never see any of the traffic. So if you are going to be using wireshark to diagnose a network problem you need to be using a hub, at least between the problem workstation and the rest of the network. Or you will need to be using a switch that is capable of port mirroring. Port mirroring is a feature of business type switches and it take all traffic that goes in and out of a specific port and mirrors it to another port of your choosing, normally the port the computer with wireshark is connected to.

Now that I am done with my side note and you have a little better understanding of where you will need to setup the computer with wireshark we will continue. First we are going to launch the program and you can see we are presented with a blank screen. Next we need to choose which network adapter we are going to use by clicking on he first button on the far left.

Now we have a new window showing us our possible network cards to choose from. This window will even tell us if the network cards have an IP address assigned to them already and if any traffic is being transfered across the network card. From this window we have three options on each available network card. Start is the first button and simply click this to start a scan with no filters and capture everything. The options button gives you a couple of different settings you can set before you start your capture. We will discuss the Capture Filter option in another article. Last we have the Details button which simply gives you some more detail about the specific network card you are choosing. For this article we will go ahead and click on the Start button and begin a capture with not filters set.

We are now capturing data that is coming across our network card and it is being recorded and displayed in Wireshark. We are capturing the sequence number, the time stamp, source IP address, Destination IP address, protocol, and additional information about the packet. If we then click on a specific packet we can see all the details of the entire packet including any plain text that may be traveling across it.

We are now essentially capturing all data that is going between the problem workstation and everything else on the network. We are able to see any network errors or retransmissions that occur and what is causing them. We can then make network changes or software changes and then take another network capture and see if there is any improvement.

Now with my background in computer security I would be in neglect if I didn’t mention the inherent risk of programs like wireshark. Wireshark is a great tool to use to try and pinpoint a network problem but imagine if an outside person placed a program like wireshark on your network and was able to capture all of your network traffic including usernames and passwords that weren’t encrypted. So I have included a few recommendations to use that will keep someone from using an program like wireshark or will minimize the information they are able to get.

• Deploy switches throughout your network and if you must deploy a hub make sure it is locked down where no one can physically access it.
  • Deploying switches in your network will not only increase security but will also increase performance.
• Do not leave port mirroring on if you are not using, just enable it every time you need it.
• Encrypt all access to switches and other network devices so if traffic is captured it will be unreadable.
• Encrypt all password traffic between between workstations and servers.

This articles has described the very basics of using Wireshark. My next article will focus on filters so that you can easily sort through massive amounts of information collected.

Thanks for reading.

Mike Walton