It is possible to track the queries and see whether there are any issues associated with DNS lookups. As can be seen in Figure E, four queries were made to DNS over the course of this capture. To filter DNS traffic, the filter udp.port=53 is used. DNS uses port 53 and uses UDP for the transport layer. The other type of traffic looked at (and this may be of some interest when troubleshooting network issues) is DNS traffic. The filter used and the output is shown in Figure D. The filter used in this case is tcp.port=80. This type of traffic uses TCP in the transport layer and operates on port 80. The first class we look at is http traffic. In this case, rather than running iperf, a capture was made during a normal use period. The second part of this post looks at using a couple of basic filters to separate out traffic classes. This comprises Ethernet header information (14 bytes), IP headers (20 bytes) and TCP headers (20 bytes). In this case, we can see that the protocol overhead for the frame is 54 bytes. As an aside, you can also see the protocol overhead on each transmitted frame. Wireshark will indicate whether the packet was fragmented in order to fit within the Maximum Transmission Unit (MTU). You could also expand the data section or the Ethernet section. Figure C, for example, has the IP and TCP sections expanded. You can expand the sections in the lower pane to examine in more detail the contents of the packet. Highlighting a packet in the upper frame shows a summary of the packet in the lower pane, as Figure B indicates. In Figure B, you can see circled the TCP three way handshake for initiating a connection. There was other traffic on the network in addition to the iperf traffic. The iperf session was a 30-second continuous transmission.
The wireshark capture used for the first part of this post is taken from a session running iperf. This allows you to analyse the traffic captured in more detail. When you stop a wireshark session you can save the output to a file. As Figure A shows, wireshark output consists of two panes: the top pane shows the packets, while the bottom pane shows details of packets highlighted in the top pane. Clicking on the icon next it (circled in red) stops the capture. Starting a capture is simply a matter of clicking on the icon shown circled in green on Figure A. Wireshark can be started from the command line, but it usually needs to be run as root or as sudo. This week’s post provides a brief introduction to wireshark and shows two basic filters that can be used to extract two different classes of traffic.
Wireshark is a protocol analyser available for download. Scott Reeves shares the wireshark filters that helps you isolate TCP and UDP traffic. Two simple filters for wireshark to analyze TCP and UDP traffic
0 kommentar(er)
