Router Charts

Router Charts

Router Ranker

Router Ranker

Router Chooser

Router Chooser

NAS Charts

NAS Charts

NAS Ranker

NAS Ranker

More Tools

More Tools

LAN & WAN How To

Using packet papture software like Wireshark is a useful troubleshooting technique that can be used to examine packets and gather details to help find the root of a problem. In my previous post, I talked a little bit about how to use Wireshark and walked through some steps to run a simple packet capture from a PC. This time, I'm going to go a bit deeper into the how to for doing packet captures.

A common use for packet capture is to monitor the packets going to and from a specific device. To be able to capture those packets, the packet capture tool has to be sharing the network segment being used by the specific device. Simply connecting a laptop running Wireshark to the same switch or switch embedded into a router as the target device will not allow a PC to monitor the packet flows of another device without some additional tools, features, or options.

One simple tool that is useful to monitor another device's packet flow is a hub. A hub, such as the simple 4 port Netgear model shown in Figure 1, looks and seems very similar to a Switch. There are some key differences, though.

Hubs are shared network devices that operate at the physical layer, or layer 1 of the OSI Network Model, with all devices using the same bandwidth and media. Subsequently, all packets sent and received on that hub can be monitored from any port on that hub. This shared aspect also makes Hubs a security risk, so replace that old hub with a switch if you still have one in production.

Typical hub

Figure 1: Typical hub

For troubleshooting, the Hub comes in handy. Connecting the target device and the PC with Wireshark to a hub connected to the rest of the network will enable the PC with Wireshark to run a packet capture on packets going to and from the target device, using the same techniques as described in my last blog.

Hubs have been pretty much replaced by switches. But managed or "smart" switches usually have a feature that allows you to monitor a specific port, known as port mirroring.

For example, the Linksys SRW2008 [reviewed] is a nice 8 port switch with various management features, including port mirroring. In Figure 2, I've enabled port forwarding on Port g1, with my laptop running Wireshark connected to Port g2, and selected a Type of Both to allow me to capture both Transmit and Receive traffic.

Wireshark Interfaces

Figure 2: Wireshark Interfaces

Using this feature on my switch, I've essentially tied together ports 1 and 2, and now can run a packet capture from a laptop or PC on port 2 to troubleshoot packet flows coming and going from whatever device may be connected to port 1.

In addition to using a hub or port mirroring, many devices have packet capture options built in to their software. As I mentioned last week, the SonicWall TZ190W, D-Link DFLCPG310, and Netgear's newly released FVX538 and FVS336G all have this option. Using the packet capture tool on a router combines the functionality of port mirroring and Wireshark capture, producing an output file of packet flows which can then be downloaded to a PC and opened within Wireshark for filtering and analysis.

Filter the Packets

Now that we've covered the software and hardware for packet captures, the next step is to filter the packets so we can limit the amount of data we are filtering. PCs can produce thousands of packets in a very short period of time, and if you're looking for a specific problem, you don't want to be sifting through all those lines of data to find it.

MAC addresses, IP addresses, traffic types, and just about any other data characteristic can be specified in a filter to isolate traffic. Let's say I want to filter traffic between my PC and my gateway router, and I only want to look at TCP traffic. Clicking Capture -> Options opens the screen in Figure 3.

Host and TCP filter
Click to enlarge image

Figure 3: Host and TCP filter

As you can see, I've created a capture filter with the conditions host 192.168.3.1 and tcp. This simple filter will display TCP traffic that is coming from or going to my gateway router, which is host 192.168.3.1. I used the boolean key word and meaning both conditions have to be met in my filter, as opposed to using the boolean key word or which would have created a filter that would have captured all TCP traffic as well as all traffic to and from my gateway router.

Filters can get far more complex than this example, but this gives the general idea of using keywords and multiple conditions to narrow your search. All together, the combination of a hub or network device that supports port mirroring or packet captures, along with Wireshark, yields a very powerful tool for network troubleshooting.

More LAN & WAN

Featured Sponsors

Win This!

TP-LINK Archer C9 & TL-PA4010KIT

You could win a TP-LINK Archer C9 AC1900 class router and AV500 Powerline Adapter kit

Learn How!

Top Performing Routers

AC3200
AC2350
AC1900
AC1750
AC1200

Top Performing NASes

NoRAID
RAID1
RAID5

Over In The Forums

Yesterday I was changing the client profiles on my AC-66R router, So I can identify my home devices in an easier way... Everything was fine until I n...
I've just upgraded from 372.XX to 378.52_2, but it seems to me the newest version does not have the traffic usage by IP any more in the Traffic Monito...
I have had this new router for 6 days now and thought I would post some initial impressions and issues I have found so far. I bought from Fry's Elect...
Do many people use these channels with on 5Ghz? Wondering what the advantage is, if any, to using them, opposed to 149,153,157,161?
After upgrading firmware from 3.0.0.4.374.979 to 3.0.0.4.376.3754 the printer connected to the USB port of RT-N56U stopped working correctly. It often...

Don't Miss These

  • 1
  • 2
  • 3