Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Contents
1. General Overview
2. Wireshark setting user guide
General Overview
Wireshark: Pros vs. Cons Pros: Wireshark software is free download & capable of being run in any laptop Easy to send the traces to anyone without having to convert the file format Provides a simple but powerful display filter language Cons Wireshark can drop the captured packets Out of memory when capturing large traffic volume Some protocol stacks cannot be decoded by Wireshark (like Frame Protocol over Iub) Software bugs and its functionalities depend on laptop network driver & PC
Equipment installation
Mirroring option: Recommended
Iu-PS/Iu-CS
mirroring Lp/14, Eth/x Iux over IP
SGSN/MSC
Iub (IP link)
Ethernet Fiber
RNC
Lp/15, Eth/x
Iux over IP
Router
PC
ETH card
(if the router does not have Ethernet port, an Optical-Copper SFP is needed)
Equipment installation
Splitter option One way traffic from only one GIGE interface can be captured
Lp/14, Eth/x Iux over IP
Ethernet Fiber
RNC
Lp/15, Eth/x Rx slot
Ethernet Fiber
RNC
Lp/15, Eth/x Rx slot
PC
Check list Confirm the type of fibers (SX/LX) and connectors (LC/FC/SC) needed Mirroring option (recommended), check availability of Mirroring capability of the access routers
The dedicated mirroring port must be configured
Software overview
Winpcap Mandatory for IP sniffing on Laptop Provided together with the Wireshark software
From Wireshark: OK
Generic dialup Interface Gigabit Ethernet Interface Qualcomm USB Modem
Workaround
Uninstall the current Winpcap & Install the recommended stable Winpcap version Use another laptop PC (avoid Lenovo ThinkPad if possible)
10 | Wireshark user guide | April 2011
Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX
No tracing if there is a mismatch between the speed on the PC & mirroring interface (Fast/Gigabit Ethernet)
Device manager > Network adapter> Advanced > Link Speed & Duplex
Auto Detect is recommended (default setting)
100Mbps/1Gbps & Full duplex is desirable (if the auto detect does not work); the selected speed depends on the speed on the mirroring interface
Force the mirroring port to the same speed as the network interface card (NIC)
VLAN capture setup issue With some PC/Network Interface Cards, you won't necessarily see the VLAN tags in packets when capturing on a VLAN
Workaround does not necessarily work for every NIC type, so please use another PC/NIC in order to not waste too much time
icon start a new live capture icon stop the running live capture
Identity the capture interface (in our case, it is a Gigabit network connection)
Capture > Interfaces
Basic, must-know
TCP trace
Essential to display the time sequence graph to analyze the TCP traffic
Usage: detailed analysis of TCP flow control, ACK shapes, spot retransmissions and losses
Useful only with traces near to the TCP data source (FTP sever for DL or UE for UL)
Select a data packet (not ACK packet) and go to Statistics, then TCP time stream graph and Time sequence graph tcptrace)
Zoom: click-left ; Unzoom: SHIFT + click-left Find packet: CTRL + click-left on packet (packet will be highlight) Move time or sequence number axis: click-right
Throughput graph
Display instant throughput calculated by wireshark Usage: throughput dynamics (bandwidth changes, etc) Select a data packet (not ACK packet) and go to Statistics, then TCP time stream graph and Throughput graph)
RTT graph
Display TCP RTT: delta between segment and its ACK. Makes sense only at sender side. Usage: check E2E RTT (will include buffering time if applicable). Check RTT versus packet losses (possible overflow). Check if TCP not filling up E2E buffers (low RTT=HSPA RTT) Select a data packet (be careful, not to choose an acknowledgement packet) and go to Statistics, then TCP time stream graph and RTT graph)
C 200
w filename.pcap
Trace file name
Advantages
Low resources consumption while capturing (low probability of having packets dropped)
Take big trace with long duration, no out-of-memory issue
25 | Wireshark user guide | April 2011
Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX
Pos: 0 Pos: 66
Pos: 16
Pos: 70
Pos: 74
Capture filter
Note: if VLAN cannot be captured, filter becomes
Pos:0 Pos:32
Capture filter
udp[32:4]= 0xbc2d09c3
Another option to filter IuPS User Plane trace of UE whose IP@ ==188.45.9.195 is udp[28:4]=0xbc2d09c3 or udp[32:4]= 0xbc2d09c3
Too small truncated packet will not contain all useful header information
Truncate packet (without capture filter) gives the same out-of-memory issue Statistics infos (like data flow rate, throughput) could not be obtained from packet-truncated traces
Avoid the out-of-memory issue Ease to take trace on live network (with possibility to schedule the capture) Stop capture can be used to schedule the capturing
File name: Iu_PS_test1
To detect the suspected packet loss & retransmission with TCP Wireshark, use filters:
tcp.analsysis.retransmission, tcp.analysis.fast_retransmission tcp.analysis.lost_segment
TCP packet; seq no=123 (not relative sequence number) TCP packet; seq no=123 TCP packet; seq no=123
The TCP packet with tcp.seq == 123 is sent twice by the UE and these packets can be seen twice at sniffer 2. But at the sniffer 3, we only see the retransmitted packet.
Alcatel-Lucent Internal Proprietary Use pursuant to Company instruction. XXXXX
Compare the number of SCTP heartbeat & heartbeat ACK Loss of heartbeat packet
Telephony-> SCTP/Analyze this Association -> Chunk statistics
Telephony/RTP/Stream Analysis
No RTP loss
Determine the UL transfer throughput: Wireshark does not give application throughput which can be calculated by:
App_Thr = Packets*pkt_size*8/Duration
Server IP address
UE IP address
More than one packets with the same sequence number retransmission
Sniffer 4
seq no=3698364802 (not relative seq) seq no=3698364802 tcp.seq == 3698556853 tcp.seq == 3698556853
TCP bad checksum problem When the checksum is bad, the packet is rejected, thus retransmission Check checksum at different network segment
Checksum at FTP server (computed by Wireshark, the one added in the packet) 0x3d28 Checksum at CERNC (Iu-PS) 0x3d28 [incorrect, should be 0x6f48] Checksum at UE side
This is the checksum value inside the packet (added at FTP server) This is the checksum computed by Wireshark at CE-RNC side. It is different from the one inside the packet.
0x3d1c
0x3d10
=>TCP checksum error was happened from the FTP server to the CE (on the Iu-PS interface). The checksum errors are related to the IP transmission errors such as toggled, missing or duplicated bits.
Thank you
1. This slide package is dedicated for VNTelecom folks!
2. If you want to reuse any part of this slide, please contact me before.
39 | Wireshark user guide | April Proprietary Use pursuant to Company instruction. XXXXX Vuong Quoc Thinh 2011 Nguyen
Alcatel-Lucent Internal