Topic outline

  • Sharkfest 17 US

    SharkFest icon

    Workflow-based Analysis of Wireshark Traces: Now we can all be Experts

    In this session we took a new approach to packet analysis.

    We analyzed a performance problem, and discovered how to reduce thousands of packets to a handful, and nail the cause.

    The Session

    Even with a relatively good knowledge of TCP/IP and Wireshark, it can be difficult to know where to start with the analysis of trace files. Hundreds of thousands of packets and many protocols can be totally overwhelming unless you have years of experience, or can get someone with years of experience to help. Workbench offers a systematic way to analyse traces based on the workflows modeled on the ways of experts. In this session we were able to troubleshoot a performance problem from start through to root cause using Wireshark and the community edition of Workbench.

    Learning Objectives

    Here's what we covered in the session:

    • End-to-end transaction analysis theory
    • Four patterns of packets that distinguish between a client, network or server problem
    • A three-point strategy for packet analysis
    • How to find the time frame of a problem
    • Filtering techniques to select just the trace data needed
    • How to match packets as they cross the network
    • A strategy to identify the component causing the problem
    • How to cross check packet analysis findings with web log information

    Session Leader

    Paul Offord portrait

    Paul Offord, Project Leader, TribeLab

    Paul has had a 39-year career in the IT industry that includes roles in hardware engineering, software engineering and network management. Prior to founding Advance7, he worked for IBM, National Semiconductor and Hitachi Data Systems. Paul and the Problem Analysts at Advance7 help IT support teams in many business sectors troubleshoot difficult performance and stability problems. Paul has recently contributed code to the Wireshark project and is currently leading the team developing Workbench.

  • Repeat the Exercise

    To repeat the exercises covered in the session you will need the following software installed on your Windows 64-bit PC:

    • Wireshark 2.2.4 or later - install from here
    • TRANSUM 2.0.4 - download the transum.dll plugin from here and copy into %USERPROFILE%\AppData\Roaming\Wireshark\plugins
    • bds.dll Plugin for Wireshark 2.2.x (optional) - download the bds.dll plugin from here and copy into %USERPROFILE%\AppData\Roaming\Wireshark\plugins
    • Workbench NE 0.17.0 - download and run the security-signed installation package Workbench.msi from here
    • - this file contains the trace files we'll be using for the session and is available below

    BDS (bds.dll) allows the analysis of Microsoft IIS web log files in Wireshark.  We will demo this during the session but it's not required to complete the analysis.

    If you are using Wireshark 2.4 release candidate, you do not need to install the transum.dll plugin as TRANSUM is a standard feature of Wireshark 2.4.

    • Trace Data for the Session

      • File 40.3MB Uploaded 17/06/17, 08:52