How To Use Wireshark In Analysis Of A Network

Purpose of the assessment (with ULO Mapping)

This assignment is designed to develop deeper analytical understanding of different distributed network conditions. At the completion of this assessment students should be able to:

a. Analyse performance and deployment issues for networked applications;

b. Compare appropriate industry tools and techniques to manage networked applications;

Functions Of Wireshark

Network comprises of network protocols and OSI model layers. Network protocol is set of standard rules and policies with structured procedures and formats that will make communication connection between two or more devices with a network. OSI model layers is network framework that clearly defines the layers of network in 7 layers. The layers has there own and different function. The layers mutually depends on each other and they are arranged and presented in certain way that will relay and pass information to each other without the loss or addition of data. Communications in a network is facilitated by the use of standard software that clearly allows the follow of traffic and packets of data without any interference by any external factors. Information in institutions and organizations is the most important and key factor to be consider  since good communication will facilitate the success of the plans and projects. Therefore, the analysis of network traffics and packets will then give the precise data and any problem can be spotted and solved before the the data is corrupted and interfered by malicious people or generally lose of data by workers within the institutions.

Network management system is software applications that are used by the network engineers and experts to manage and control the small network within a larger network by performing key functions.  The main function of these applications is to identify, configure, update and troubleshot network devices available with the network that is being managed. Both wired and wireless devices are managed by this applications. The data collected will then be used by the network experts and engineers to make the changes where appropriate.  These applications are very important for perfect and precise network management analysis. Wireshark is a great data packet sniffer widely used but is not actually the only tool used to analyze the network. It can be expanded and widely used by the support of the complementary tools. There are several plugins that are widely used and also platforms which enhance the the Wireshark capabilities and functionality. The tool also has friendly user interface that allow users to express their own desired alerts so that they can be informed when the changes occur in a network that are unusual. For instance if the new device tries to connect then the system will automatically detects and give out the signal on the display. The live data that is being generated can be also be converted into reports and it can be used to generate more insights.

1) Packets Capturing

Wireshark software can be downloaded in there official website. It is available across all the operating systems such as Windows, MacOS and Linux. It is easy to download since only simple procedures are involved. It also comes with fully packed and required tools hence no more packages downloading and configuring. Wireshark is a great data packet sniffer widely used but is not actually the only tool used to analyze the network. It can be expanded and widely used by the support of the complementary tools [2]. There are several plugins that are widely used and also platforms which enhance the the Wireshark capabilities and functionality. The tool also has friendly user interface that allow users to express their own desired alerts so that they can be informed when the changes occur in a network that are unusual. For instance if the new device tries to connect then the system will automatically detects and give out the signal on the display. The live data that is being generated can be also be converted into reports and it can be used to generate more insights.

Wireshark is a software that captures and display the network analysis in real time then present it in a more readable and understandable format to the experts. They will then perform packets capturing, color coding and packets filtering among others [1].

The application can be used to troubleshoot the suspicious traffics in a network hence the network engineers can quickly solve the issue before its intentions are fulfilled.

Functions Of Wireshark

1) Packets Capturing

After downloading and installing, then the application is ready to use. Now if you want to analyze a specific network for instance wireless then click the name of the wireless network after powering on the application as shown below[3].

After clicking on the interface name of the network then the packets will be shown in real time. If by any chance the promiscuous mode is enabled by default, then all packets are in the network will also be visible apart from your packets only of your network to be analyzed. To enable the promiscuous mode then click on Capture > Options and verify by checking all checkbox then click on activate to finalize the process as shown below;

To stop the process of capturing traffic, then click on the red button near to the left corner as shown below;

2) Color Coding

In this scenario, you will be able to see packets displayed in variety of different colors. Wireshark uses color code to clearly identify the type of the network traffic. The default colors has specific meaning such as, a light purple color is for TCP traffic, light blue color is UDP traffic, and the black shows packets with error.

To clearly view the meaning of the color code then click on View Coloring Rules. Incase you want to customized and modify the color code then you do it using the same procedure.

Incase you want to inspect and analyze specific thing, for instance the traffic program sends when making a phone call to home, then it helps close down all other network applications to narrow down the network traffic. Wireshark filters will then be applicable here were larger amount of packets is to be filtered.

To apply a filtering, just type the word to be filtered in the filter box that is located on the top corner of the window then click Apply or Press Enter to complete the process. For instance, type the word "dns" and the results are displayed about the DNS packets only. Wireshark applications also has the auto-completion where when you start typing a word then it auto-complete automatically the filter you want to enter[5], [7], [8].

2) Color Coding

You can as well click Analyze Display Filters choose the most preferred filter among the shown default filters that are in the wireshark. Also, you can add your own filters and save them so that you can access them and use in future.

Another way that is also interesting about filtering is that you can right-click a packet and then select the Follow > TCP stream on the traffic.

Full TCP conversations will be shown between the server and the client. You can as well check other network protocols by clicking it on the menu where applicable.

You will automatically find the filter that was used just immediately when you close the window. Wireshark will the summarize and display the conversation packets that took place.

4) Viewing Network Statistics

Network statistics can be viewed by use of drop-down menu on the wireshark. This is the most useful and important part when trying to get more information about the network traffic being analyzed [9], [11]. Then menu provided can is located on the top of the application where the metrics number starting from size and information timing is provided through charts and graphs plotting. To collect the most needed and important information, then you have to apply display filters. Wireshark is a software that captures and display the network analysis in real time then present it in a more readable and understandable format to the experts. They will then perform packets capturing, color coding and packets filtering among others.

The figure below demonstrates how statistics menu viewed using wireshark.

Statistics Menu Selection

The following are the core sections of statistics menu:

Protocol Hierarchy - The Protocol Hierarchy selection gives an option of a window with complete table containing the protocols captured during the process. Also at the bottom the active filters can be shown[15], [16].

IO Graphs - IO Graphs shows the specific user graphs, visualizing the number of packets in the entire process of the data exchange[12], [14].

RTP_statistics - It allows the expert and network engineers to save the content of the RTP audio which are directly streamed to an Au-file [13], [7].

Service Response Time - Service Response Time shows the time between the network's response and the request time [12].

TcpPduTime - TcpPduTime displays the amount of time taken to transfer data from a protocol data unit and also it can be used to show TCP transmissions [9].

VoIP_Calls - VoIP_Calls shows the VoIP calls captured during the live chat calls.

Multi-cast Stream - Multi-cast Stream are used to detect and capture multi-cast streams sizes bursts and the output of the buffers of certain speed in the stream.

Conversations - This will reveal and show the conversations between two end points. For instance, the IP address exchange traffics between the two end points.

Endpoints - It displays the list of the endpoints such as the the specific layer protocol of the endpoints in a network traffic protocol [8].

5) Using Of IO Graphs To Visualize Networks Packets

The visualization of the data packets can be created and represented using IO graphs. First, open the IO graphs by clicking the statistics menu then select IO graphs. Double click on it or press enter after selecting the IO graphs [3].

3) Filtering

You can alter and configure the settings of the IO graphs to fit your own desires of the data you want to display. Only graph 1 is enabled by the default function hence if you want to activate 2-5 options then you have to select by clicking the check box. Likewise, if you would like to apply a display filter for a IO graph then click on the icon next to the graph you want to use and the graph selected will be displayed. There is also a column of styles that will allow you to change structure of the graphs the way you want to look like. Several options are provided such as Line, FBar. Impulse and Dot [2], [11].

You can also use the X and Y axis metrics to interact on your graphs as well. On the X axis, you can dictate the intervals of the sections using minutes and seconds. You can alter the time you would like to display by checking on the checkbox. On the Y axis, you can also alter the measurement units by using the following options: Packets/Tick, Bytes/Tick, Bits/Tick, or Advanced depending on the option you want to choose. The scale will then allow you to choose the measurement scale of your choice for the Y axis of the graph [5], [9].

Once you press the save button, the graph will then be stored in a file format of your choice that you had selected earlier.

Wireshark’s capabilities

Wireshark is a great data packet sniffer widely used but is not actually the only tool used to analyze the network. It can be expanded and widely used by the support of the complementary tools. There are several plugins that are widely used and also platforms which enhance the the Wireshark capabilities and functionality. The tool also has friendly user interface that allow users to express their own desired alerts so that they can be informed when the changes occur in a network that are unusual. For instance if the new device tries to connect then the system will automatically detects and give out the signal on the display. The live data that is being generated can be also be converted into reports and it can be used to generate more insights. Wireshark is a software that captures and display the network analysis in real time then present it in a more readable and understandable format to the experts. They will then perform packets capturing, color coding and packets filtering among others[14].

The following are the wireshark addition that can be applied to improve analytical capabilities:

SolarWinds Response Time Viewer for the wireshark will allow the experts and network engineers to calculate their applications and network appropriate response time. Also it can be used alongside wireshark to show the data and the transaction volume. This is important since it will helps you to assess network performance and spot the possible improvements to be made where possible. SolarWinds being the leading network management tool for solutions on the market, its performance provides useful information to the expertise and IT admins that is extensive on its functionality for monitoring and ensuring the network safety. Bandwidth monitoring across the network will help the user to track the live changes taking place through performance in the dashboard analysis[11].

CloudShark is another analytical tool that was made specifically to analyze and work off wireshark captures. However, it can also import data any other packet sniffers. A cloudshark plugin for wireshark will then help to facilitate the data transfers through to the analytical tools[10].

NetworkMiner is another additional capability analytical tool that function on wireshark feeds. The tool comes in two versions such as paid and free. It analyze the data packets then it displays it in live traffic data packets and also it identifies packets by protocol.

4) Viewing Network Statistics

SolarWinds Monitor is a full network analysis toolkit that is very important and recommended to the expertise and IT admins. The figure below shows the the analysis samples:

SolarWinds being the leading network management tool for solutions on the market, its performance provides useful information to the expertise and IT admins that is extensive on its functionality for monitoring and ensuring the network safety. Bandwidth monitoring across the network will help the user to track the live changes taking place through performance in the dashboard analysis [8].

An overview of the user's function in real-time for the network infrastructure. A visual display will then display all active devices within the network connections. This will then enable the experts and IT admins to identify malicious unauthorized devices.

The tool also has friendly user interface that allow users to express their own desired alerts so that they can be informed when the changes occur in a network that are unusual. For instance if the new device tries to connect then the system will automatically detects and give out the signal on the display. The live data that is being generated can be also be converted into reports and it can be used to generate more insights[13].

Multi-Vendor Networking Monitor - This will identifies and resolve multi-vendor on the performance matters.

Wireless Network Monitor - This device will view the performance made from the access points for both the devices used and the clients.

Network Dead Zone Identification - This will view the map of the wireless network connection and identifies the areas with weak signal connections.

Name Resolution-Network Address

Network analysis using wireshark has been more effictive because of its effictivity and efficiency. As a network engineer or IT admin, then its important to to understand the protocols of your applications used by your network. Apart from IPv4, IPv6, TCP, TCP, and HTTP, you must must also consider extensive additional protocols for proper operation of your applications within the network.

For instance, Domain Name System (DNS) is one of the underatted name resolution protocols but the really carry an important aspect. Sometimes the user might click the DNS and it will take long to load and resolve due to poor internet response time hence DNS should be verified to be working properly.

As network engineers and IT experts, the main task is mainly ensuring the data flow from point A to point B within a network. TCP greatly contribute to ensuring an facilitating the data flow without much intervention. However, that TCP re-transmission could be the symptom of the problem but not the cause.

TCP re-transmission can be identified using wireshark. First, identify the packets filters within the re-transmission lines hence many re-transmission can be seen as well after this process. The most important note is there is no flags or unique identifiers that are associated with a TCP re-transmission. Wireshark will therefore calculate TCP re-transmission based on SEQ/ACK number, IP ID, TCP Port and the destination IP address. It will also easily count the duplicated packets re-transmitted. The figure below shows how the process takes place.

Packet Loss  Using Wireshark

Packet loss is just that situation where you can't receive the data packet. This can be due to many factors caused by corrupted frames, RF interference, duplex mismatches, dirty fiber connectors, oversubscribed links, and routing issues.

Packet loss causes TCP-based protocols problem performance because of the time needed to re-transmit the frames lost during the process. If in any case your application uses UDP, then all bets will be off and the application decides what to do. UDP normally reacts to the data packet loss by re-transmitting  the connection, re-sending data or corrupting data. With the VoIP application, you will hear an echo sound and distorted audios.

Wireshark Simplicity and Versatility

The functionality and usage of the wireshark has been concluded by the simplicity and versatility. This is the important part since the wireshark is user-friendly for both beginners and the veterans. More research can be done to get more about wireshark usage and importance. Wireshark is a software that captures and display the network analysis in real time then present it in a more readable and understandable format to the experts. They will then perform packets capturing, color coding and packets filtering among others. It gives the up-hands if someone is interested in using of more advanced features and trying to create your own dissectors protocols. The tool also has friendly user interface that allow users to express their own desired alerts so that they can be informed when the changes occur in a network that are unusual. For instance if the new device tries to connect then the system will automatically detects and give out the signal on the display. The live data that is being generated can be also be converted into reports and it can be used to generate more insights[15].

The application can be used to troubleshoot the suspicious traffics in a network hence the network engineers can quickly solve the issue before its intentions are fulfilled. Incase you want to inspect and analyze specific thing, for instance the traffic program sends when making a phone call to home, then it helps close down all other network applications to narrow down the network traffic. Wireshark filters will then be applicable here were larger amount of packets is to be filtered.

Wireshark's official user guide has the most comprehensive body guidance on the subjects. A lot of research can be done using several guides that give deep and more details on how to use wireshark in more advanced features. SolarWinds has greatly contribute to the deep analysis efforts by the experts and IT admins. The tool has really change the approach and ways of analyzing network data packets[6].

Conclusion

Wireshark is a great data packet sniffer widely used but is not actually the only tool used to analyze the network. It can be expanded and widely used by the support of the complementary tools. There are several plugins that are widely used and also platforms which enhance the the Wireshark capabilities and functionality. The functionality and usage of the wireshark has been concluded by the simplicity and versatility. This is the important part since the wireshark is user-friendly for both beginners and the veterans. More research can be done to get more about wireshark usage and importance. It gives the up-hands if someone is interested in using of more advanced features and trying to create your own dissectors protocols. Wireshark is a software that captures and display the network analysis in real time then present it in a more readable and understandable format to the experts. They will then perform packets capturing, color coding and packets filtering among others [14].

The application can be used to troubleshoot the suspicious traffics in a network hence the network engineers can quickly solve the issue before its intentions are fulfilled. Incase you want to inspect and analyze specific thing, for instance the traffic program sends when making a phone call to home, then it helps close down all other network applications to narrow down the network traffic. Wireshark filters will then be applicable here were larger amount of packets is to be filtered.

SolarWinds being the leading network management tool for solutions on the market, its performance provides useful information to the expertise and IT admins that is extensive on its functionality for monitoring and ensuring the network safety. Bandwidth monitoring across the network will help the user to track the live changes taking place through performance in the dashboard analysis. The tool also has friendly user interface that allow users to express their own desired alerts so that they can be informed when the changes occur in a network that are unusual. For instance if the new device tries to connect then the system will automatically detects and give out the signal on the display. The live data that is being generated can be also be converted into reports and it can be used to generate more insights[12].

Reference

[1]  J. Nielsen, "Ten usability heuristics of database," 2012, https://www.useit.com/papers/heuristic/heuristic_list.html.

[2]  Microsoft Corporation, "Site management cycle," 2013, https://msdn.microsoft.com/library/en-us/comsrv2k/htm/cs_gs_concepts_ntqq.asp.

[3]  C. Sherman, "Teoma vs. Google, round two," April 2, 2012,https://searchenginewatch.com/searchday/02/sd0402-teoma.html.

[4]  J. Raskin, "Looking for a humane interface: Will computers ever become easy to use?" Communications of the ACM, vol. 40, no. 2, pp. 98-101, Feb. 2014.

[5]  M. Phillips, "Reducing the cost of Bluetooth systems," Electronics & Communication Engineering Journal, vol. 13, no. 5, pp. 204-208, Oct. 2011.

[6]  H.L. O'Brien and E.G. Toms, "What is user engagement? A conceptual framework for defining user engagement with technology," Journal of the American Society for Information Science and Technology, vol. 59, no. 6, pp. 938-955, Apr. 2018.

[7]  E.F. Vasechkina and V.D. Yarin, "Evolving polynomial neural network by means of genetic algorithm: Some application examples," Complexity International, vol. 09,  2011, https://www.csu.edu.au/ci/vol09/vasech01/.

[8]  O. Edelestein, E. Farchi, Y. Nir, G. Ratsaby, and S. Ur, "Multithreaded Java  program test generation," IBM Systems Journal, vol. 41, no. 1, pp. 111-125, 2012,
       https://www.research.ibm.com/journal/sj/411/edelstein.pdf.

[9]  R.R. Yager, "Multiple objective decision-making using fuzzy sets," International Journal of Man-Machine Studies, vol. 9, no. 4, pp.375-382, Jul. 2014.

[10] K.-L. Wu, C.C. Aggarwal, and P.S. Yu, "Personalization with dynamic profiler,"  in Proceedings of the third international workshop on advanced issues of e-commerce and web-based information systems, 2016, pp. 12-20.


[11] T. Hastie, R. Tibshirani, and J.H. Friedman, The elements of statistical learning: Data mining, inference, and prediction, Springer Series in Statistics. New York: Springer-Verlag, 2017.

[12] M.T. Maybury, "Intelligent user interfaces for all," in User interfaces for all:  Concepts, methods and tools, C. Stephanidis, Ed. Mahwah, NJ: Lawrence Erlbaum         Associates, 2018, pp. 65-80.

[13] ANSI T1.602-2010, Telecommunications-Integrated Services Digital Network (ISDN) - Data-Link Layer Signaling Specification for Applicationat the User-Network Interface.

[14] T. J. van Weert and R. K. Munro, Eds., Informatics and the Digital Society: Social,  and ethical and  cognitive issues: IFIP TC3/WG3.1&3.2 Open Conference on Social,  Ethical Cognitive Issues of Informatics and ICT, July 22-26, 2002, Dortmund, Germany.    Boston: Kluwer Academic,  2003.       
      

[15] L. Liu and H. Miao, "A specification based approach to testing polymorphic   attributes," in Formal Methods and Software Engineering: Proceedings of the 6th   International Conference on Formal Engineering Methods, ICFEM 2004, Seattle, WA,  USA, November 8-12, 2004, J. Davies, W. Schulte,M. Barnett, Eds. Berlin: Springer,     2004.  pp. 306-19.

[16] H. K. Edwards and V. Sridhar, "Analysis of software requirements engineering exercises in a global virtual team setup," Journal of Global Information Management,  vol. 13, no. 2, p. 21+, April-June 2005. [Online]. Available: Academic OneFile, https://find.galegroup.com. [Accessed May 31, 2005].