Wire Shark

1 | Presentation Title | January 2009

Equipment installationMirroring option: Recommended

ETH card

ETH card

RNC RouterLp/14, Eth/x

RJ45 (ETH cable)

Mirroring port (if the router does not have Ethernet port, an Optical-Copper SFP is needed)

Lp/15, Eth/x

mirroring

Iux over IP

Iux over IP

Iub (IP link)

Iu-PS/Iu-CS SGSN/MSC

PC

Ethernet Fiber

UL & DL traffic from multiple GIGE interfaces can be captured


Equipment installation Splitter option

ETH card

RNC Router

Lp/14, Eth/x

RJ45 (ETH cable)Lp/15, Eth/x

Iux over IP Iub (IP link)

PC

Ethernet

Fiber

Optical – Ethernet Converter

One way traffic from only one GIGE interface can be captured

Rx slot

RNC Router

Lp/14, Eth/x

RJ45 (ETH cable)Lp/15, Eth/x

Iux over IP Iub (IP link)

PC

Ethernet

Fiber

Switch 6850 with 2 Optical

Ports (2 SFP)

Both UL & DL traffic from one GIGE interface can be captured

Rx slot

Rx slot


Check list Confirm the type of fibers (SX/LX) and connectors (LC/FC/SC) needed Mirroring option (recommended), check availability of– Mirroring capability of the access routers

– The dedicated mirroring port must be configured– If the mirroring port is Gigabit Optical, need to have

– A “Copper Ethernet SFP”– Or an Optical – Ethernet converter

– Ethernet RJ-45 cable – Laptop with Wireshark Splitter option, check availability of– Optical splitters– 10/100/1000Base-T to 1000Base-SX/LX converter or

Omniswitch with associated SFP– Ethernet RJ-45 cable – Laptop with Wireshark running


2Wireshark setting guide(whatever the Iux interface)


Software overview Winpcap

– Mandatory for IP sniffing on Laptop – Provided together with the Wireshark software– All archived Winpcap version can be downloaded on http://www.winpcap.org/– Stable version is 4.1.beta5 or 3.1

Wireshark – Wireshark version: 1.2.5 (or later), check http://www.wireshark.org – Installation tip: Install Wireshark in the default folder given by cmd.exe

Useful in case you need to run Tshark tool, provided with Wireshark Windump

– Windows version of the popular tcpdump tool– Used to capture the IP traffic with packet truncated size – Useful & robust for capturing live network traffic – Windump version 3.9.5, download from http://www.winpcap.org/ – Installation tip: put Windump.exe on a reachable folder from CMD

http://www.winpcap.org/

http://www.wireshark.org/

http://www.winpcap.org/


How to check if Winpcap works well? “Winpcap works well” means Wireshark/Windump can

see all available network interfaces on the PC (Gigabit Ethernet, WiFi Link, Generic Adapter…) capture the UE trace from Qualcomm modem/data card (needed to see Generic Adapter)

– Workaround• Uninstall the current Winpcap & Install the recommended stable Winpcap version• Use another laptop PC (avoid Lenovo ThinkPad if possible)

Generic dialup Interface

Qualcomm USB Modem

Gigabit Ethernet Interface

From Wireshark: OK

From Windump: NOK No generic dialup adapter => cannot

take UE trace on this PC


PC setting for capturing in promiscuous mode Capturing all traffic that the network card can

“see” (i.e. mirrored traffic) Check “capture packets in promiscuous

mode” in Wireshark Capture Options Configure a dummy IP@ for Local Area

Connection Automatic IP@ configuration can also work

under many PCs No tracing if there is a mismatch between the

speed on the PC & mirroring interface (Fast/Gigabit Ethernet) – Device manager > Network adapter> Advanced >

Link Speed & Duplex– “Auto Detect” is recommended (default setting)– 100Mbps/1Gbps & Full duplex is desirable (if the

auto detect does not work); the selected speed depends on the speed on the mirroring interface

Force the mirroring port to the same speed as the network interface card (NIC)


VLAN capture setup issue With some PC/Network Interface Cards, you won't necessarily see the VLAN tags in packets when capturing on a VLAN

Some workaround to disable the stripping of VLAN tags.– http://wiki.wireshark.org/CaptureSetup/VLAN – http://www.intel.com/support/network/sb/CS-005897.htm – Workaround does not necessarily work for every NIC type, so please use another PC/NIC in order to not waste too much time

http://wiki.wireshark.org/CaptureSetup/VLAN

http://www.intel.com/support/network/sb/CS-005897.htm

http://www.intel.com/support/network/sb/CS-005897.htm


Wireshark: Quick Launch

icon start a new live captureicon stop the running live capture

Launch the Wireshark application

Identity the capture interface (in our case, it is a Gigabit network connection)

Capture > Interfaces

This is the one we used to connect with the

RJ45


Wireshark Settings Capture > Options

Select the right capture interface (NIC card)

Specify only in case you know exactly what

you want to capture (ex:

ether[70:2]=0x0014)

Check them if you want to see the traces

displayed in real-time

Click start to capture the traces

Check when capturing mirrored trafficTruncate the

captured packet (ex: 120 byte)

Save the trace while capturing

Save in multiple files, scheduled

by capturing duration or file

size

Schedule to stop capture

Basic, must-knowAdvanced,

useful for live network capture


Wireshark trace example

captured messages

(time, address, protocol,

info)

Protocol stack of the

selected message

This is the DISPLAY filter, for example, tcp.analysis.retransmission to display only

the TCP retransmission messages.

Header + Data coded

in hexa


Common display filters udp / tcp / sctp / icmp / ranap / sccp / gtp => to display only the desired protocol sctp && ip.src==10.2.4.9=> display sctp sent from the source having IP@= 10.2.4.9 sctp || tcp => display sctp or tcp message (both tcp & sctp will be displayed)

tcp.analysis.retransmission => display the TCP retransmission message

tcp.analysis.lost_segment => display previous segment lost

vlan.id == 123 => display the message having VLAN ID= 123

More about the filter expression, go to “Expression”

Date post:	27-Nov-2015
Category:	Documents
Upload:	najam-butt
View:	38 times
Download:	2 times

Wire Shark

Documents