1
00:00:00,000 --> 00:00:08,312


2
00:00:08,312 --> 00:00:13,189
Good morning and welcome back 
to the Wireshark Foundation class.

3
00:00:13,189 --> 00:00:17,202
In this module, we will talk about 
Timestamps and Time Values.

4
00:00:17,218 --> 00:00:22,999
Before we begin, just a quick reminder
 from what we learned about yesterday.

5
00:00:23,024 --> 00:00:28,174
When we use Wireshark, one of the key things 
we're using Wireshark to do

6
00:00:28,181 --> 00:00:35,322
is to analyze captured data, 
data that we capture specifically from

7
00:00:35,322 --> 00:00:41,738
strategic points of the network,
so that we can analyze, assess it,

8
00:00:41,750 --> 00:00:48,342
or view what's captured and try to figure out
 isolation down to the cause of the problem.

9
00:00:48,342 --> 00:00:52,559
One of the key things that we can do
when doing this is to do a

10
00:00:52,559 --> 00:00:57,646
a relative time and review the value of time from 

11
00:00:57,646 --> 00:01:03,788
when you, let's say, open a web browser to a site

12
00:01:03,785 --> 00:01:07,989
or an application or you're FTPing some traffic

13
00:01:07,989 --> 00:01:13,191
or you're trying to figure out why DNS queries might be slow.

14
00:01:13,191 --> 00:01:18,030
Any of these things can be captured with Wireshark

15
00:01:18,030 --> 00:01:22,298
and when you do that, you're able to look at

16
00:01:22,298 --> 00:01:26,964
for example, how long it took for something
to get from the source to a destination.

17
00:01:26,964 --> 00:01:30,623
So in this module, what we will do is
we'll learn about how you can

18
00:01:30,633 --> 00:01:34,161
strategically change things within Wireshark.

19
00:01:34,167 --> 00:01:37,154
Take a look at settings and figure out

20
00:01:37,154 --> 00:01:42,409
how long it takes for something to get
from a source to a destination.

21
00:01:42,409 --> 00:01:46,035
So essentially, what is a timestamp?

22
00:01:46,021 --> 00:01:50,181
When you open up Wireshark and you begin a capture

23
00:01:50,181 --> 00:01:56,021
each packet is marked with time
that you're capturing at.

24
00:01:56,021 --> 00:02:00,140
This is not a time that's kept within Wireshark.

25
00:02:00,140 --> 00:02:05,480
It's actually using your system's time
to make that timestamps.

26
00:02:05,480 --> 00:02:07,480
So what's important to understand is that

27
00:02:07,480 --> 00:02:11,058
if the time is off on your computer, for example,

28
00:02:11,058 --> 00:02:14,942
you're capture data is not going to be accurate.

29
00:02:14,942 --> 00:02:17,870
So one of the things that you probably would like to do

30
00:02:17,870 --> 00:02:23,463
is check and make sure that 
the time on your system is correct.

31
00:02:23,470 --> 00:02:27,521
And one of the best ways to do this is to use NTP

32
00:02:27,521 --> 00:02:32,674
and configure your system with a, a solid time source.

33
00:02:32,674 --> 00:02:36,203
And when you do that, 
you will at least know that 

34
00:02:36,203 --> 00:02:40,161
what Wireshark is capturing and
 timestamping is accurate.

35
00:02:40,161 --> 00:02:44,985
That being said, timestamps are used to

36
00:02:44,985 --> 00:02:47,543
mark the capturing of your packets,

37
00:02:47,543 --> 00:02:50,509
and you can convert to different time formats

38
00:02:50,509 --> 00:02:51,859
which we'll do in this module.

39
00:02:51,859 --> 00:02:55,757
We'll take a look at the difference 
between certain settings,

40
00:02:55,757 --> 00:02:59,993
that you could change and why you would use 
one over the other, as an example.

41
00:02:59,993 --> 00:03:05,858
So why are we actually doing this?

42
00:03:05,858 --> 00:03:11,349
You are able to see the delta between time packet capture.

43
00:03:11,343 --> 00:03:15,445
So if you, let's say, were to open up a web browser

44
00:03:15,440 --> 00:03:19,838
and try to access a website, 
you can see from when you start

45
00:03:19,848 --> 00:03:22,661
to when you finish and every activity in between,

46
00:03:22,652 --> 00:03:26,737
how long it takes to do certain things.
A good example would be

47
00:03:26,737 --> 00:03:31,391
if you were accessing website 
and you were seeing "get requests",

48
00:03:31,391 --> 00:03:35,628
or you were doing posts and
you were seeing long period of time

49
00:03:35,628 --> 00:03:41,773
to complete a function.
 So what does that actually mean?

50
00:03:41,773 --> 00:03:45,869
That means that as we learn yesterday
in the other modules,

51
00:03:45,863 --> 00:03:49,927
you could potentially be facing 
quite a few different things.

52
00:03:49,927 --> 00:03:51,927
You can have latency on your network.

53
00:03:51,927 --> 00:03:55,277
There could be IO problems on the web server.

54
00:03:55,277 --> 00:04:00,495
The client could have lack of memory
to be able to handle the requests.

55
00:04:00,495 --> 00:04:03,819
There's so many different things that can be

56
00:04:03,819 --> 00:04:09,776
a problem within that, 
that source to destination roundtrip time

57
00:04:09,775 --> 00:04:14,600
and cause contention and or problems
all the way from the client to the servers.

58
00:04:14,600 --> 00:04:18,171
So just remember that, you put on your detective hat

59
00:04:18,166 --> 00:04:20,421
and you have to look at all the things in between

60
00:04:20,432 --> 00:04:23,776
as well as the client and the server.

61
00:04:23,776 --> 00:04:27,819
You want to make sure that
you consider that the server could be

62
00:04:27,819 --> 00:04:30,836
in tier, that could be multiple layers to that server

63
00:04:30,836 --> 00:04:33,717
especially with today's web server technology.

64
00:04:33,717 --> 00:04:38,195
Usually it's a front-end web server.
It's N-tier technology.

65
00:04:38,195 --> 00:04:40,195
This is generally 2-3 tiers.

66
00:04:40,195 --> 00:04:43,171
Sometimes it's split out into
a middle ware tier 

67
00:04:43,171 --> 00:04:48,277
where you have application 
specific functions taking place.

68
00:04:48,271 --> 00:04:53,073
And most websites, if they're complex enough 
and they're taking orders,

69
00:04:53,073 --> 00:04:56,254
or storing information have a database tier,

70
00:04:56,246 --> 00:04:58,965
and that could also be 
what's hanging things up.

71
00:04:58,957 --> 00:05:04,791
So just remember, it's not just the simple,
 it can get into the complex.

72
00:05:04,791 --> 00:05:10,035
So when you open up Wireshark,

73
00:05:10,035 --> 00:05:12,035
and we'll take a look at this now.

74
00:05:12,035 --> 00:05:16,763
You can see, you can adjust the time display format.

75
00:05:16,763 --> 00:05:20,146
We're going to get into 
what each of these values means.

76
00:05:20,146 --> 00:05:28,776
But you can display format. You can adjust it 
to seconds since time being in the capture,

77
00:05:28,776 --> 00:05:31,488
seconds since previous capture packet,

78
00:05:31,488 --> 00:05:34,339
seconds since previous displayed packets.

79
00:05:34,339 --> 00:05:37,313
And each one of those things
 is going to show something different.

80
00:05:37,313 --> 00:05:41,612
So as an example, we'll open up Wireshark 
and we'll take a look.

81
00:05:41,612 --> 00:05:46,662
One of the things that we did here
was we did a simple capture and 

82
00:05:46,662 --> 00:05:51,181
what I decided to do here, 
is I just ran a basic capture.

83
00:05:51,181 --> 00:05:54,996
I accessed the website and
then I wanted to see the differences

84
00:05:54,994 --> 00:06:00,358
between from my client to this destination.

85
00:06:00,358 --> 00:06:07,278
Basic time values here where how long
 it took me to do a simple request of a webpage.

86
00:06:07,278 --> 00:06:11,479
So as we were talking about before
there's different ways that you can adjust this.

87
00:06:11,479 --> 00:06:17,574
And if you go into the view
times display format

88
00:06:17,574 --> 00:06:25,692
it originally was seconds since time
and then I wanted to change it

89
00:06:25,692 --> 00:06:29,920
to seconds since previous capture packet.

90
00:06:29,920 --> 00:06:32,843
Now what this allows me to do is
to look at each one of these.

91
00:06:32,843 --> 00:06:36,024
I also looked at the stream
 but I wanted to see specifically 

92
00:06:36,032 --> 00:06:41,890
how long it was in between 
each function here in the capture.

93
00:06:41,890 --> 00:06:48,967
So essentially, that's one of things that 
we want to do when we're capturing data.

94
00:06:48,967 --> 00:06:54,592
We want to make sure that we are 
adjusting time to how we want to see it.

95
00:06:54,592 --> 00:06:58,394
And what does that really mean?

96
00:06:58,394 --> 00:07:02,675
So absolute time, the time of day 
when the packet is captured.

97
00:07:02,675 --> 00:07:07,655
Essentially, one of the things that we want to do
is we want to make sure that

98
00:07:07,655 --> 00:07:14,548
we picked the correct function
and we want to pick the correct value

99
00:07:14,540 --> 00:07:18,212
 for what it is that we want to see.
And they're pretty self-explanatory.

100
00:07:18,212 --> 00:07:22,927
So, if I want to see something since the,
the previous capture packet

101
00:07:22,927 --> 00:07:27,226
it's going to look at the timestamp
from the packet

102
00:07:27,226 --> 00:07:30,861
and then the very next one after that
and show me the difference or the delta.

103
00:07:30,861 --> 00:07:35,622
And essentially, if I'm looking at each packet
and each packet is performing a function

104
00:07:35,622 --> 00:07:42,543
that will tell how long it took to do
each one of these functions.

105
00:07:42,543 --> 00:07:47,098
There's different ways that we can do this.

106
00:07:47,098 --> 00:07:51,613
There's automatic setting 
or we can change into specific settings

107
00:07:51,613 --> 00:07:55,364
With specific settings, 
we just want to make sure that

108
00:07:55,364 --> 00:07:57,766
we understand what we want to look for.

109
00:07:57,766 --> 00:08:01,496
And we can adjust those as we see fit.

110
00:08:01,496 --> 00:08:06,599
So let's go back to our capture.

111
00:08:06,599 --> 00:08:22,340
In here, we'll do a simple

112
00:08:22,340 --> 00:08:40,201
capture, start and what we want to do 
is we want to go to our website.

113
00:08:40,201 --> 00:08:42,545
I'm going to show you a different tool here, too
so you can look at 

114
00:08:42,539 --> 00:08:48,924
a couple of different things here that we will go to.

115
00:08:48,924 --> 00:08:54,476
When we pull up the website as we can see, 
there's a couple of different things going on here.

116
00:08:54,476 --> 00:09:00,892
These are a lot of get requests.

117
00:09:00,892 --> 00:09:06,909
And then we're going to stop our capture.
And then we're going to look at 

118
00:09:06,909 --> 00:09:12,347
specifically what we just did.
So in here, we want to adjust

119
00:09:12,347 --> 00:09:17,123
the time display format to previously displayed.

120
00:09:17,123 --> 00:09:19,123
And we can see from each function

121
00:09:19,123 --> 00:09:27,490
how long it took to do each action
on pulling a website.

122
00:09:27,490 --> 00:09:35,433
So, one of the things that we want to remember
is when we're doing these types of captures -

123
00:09:35,433 --> 00:09:42,377
What are we looking for?
 Are we going to check the delta?

124
00:09:42,377 --> 00:09:47,623
When you need to find latency in your network,
you would use this type of timestamping.

125
00:09:47,623 --> 00:09:52,746
You can check for application response time.
That's what we just did. We wanted it.

126
00:09:52,733 --> 00:09:56,291
 Look at the website and see how fast
 they responded to our requests.

127
00:09:56,291 --> 00:10:00,093
We want to see if there's any errors in there, 
like 400 errors.

128
00:10:00,093 --> 00:10:04,510
To do this, we may want to put
Wireshark on both sides of the capture.

129
00:10:04,510 --> 00:10:08,585
This is a very simple capture but 
if we were doing something where

130
00:10:08,585 --> 00:10:11,039
we were looking at N-tier, we wanted to see response 

131
00:10:11,045 --> 00:10:13,818
on the database from the web tier.

132
00:10:13,821 --> 00:10:16,212
We may want to put a capture in between that.

133
00:10:16,212 --> 00:10:23,555
Otherwise, we will not see specifically 
the latency from one tier to the other.

134
00:10:23,555 --> 00:10:28,078
And we might have to filter the data
on both hosts as we just did.

135
00:10:28,078 --> 00:10:32,701
We want to just see the HTTP traffic
so we can limit what we see in the capture

136
00:10:32,701 --> 00:10:34,701
and not cause any confusion.

137
00:10:34,701 --> 00:10:43,088
And essentially, we're going to do 
this type of filtering just to see 

138
00:10:43,090 --> 00:10:48,016
specifically how long it took to travel 
from source to destination

139
00:10:48,016 --> 00:10:51,999
in milliseconds. We can refine that but

140
00:10:51,999 --> 00:10:55,400
essentially we want to see from source to destination

141
00:10:55,400 --> 00:10:58,149
how long it took to pull up a webpage.

142
00:10:58,149 --> 00:11:01,618
And how, how quickly it responded.

143
00:11:01,618 --> 00:11:10,026
Question about time when you capture it 
is generally in milliseconds.

144
00:11:10,026 --> 00:11:13,777
There are, you can bring it down to nanoseconds.

145
00:11:13,777 --> 00:11:18,514
One of the common things is not all 
capture files will be able to show this format.

146
00:11:18,514 --> 00:11:21,533
So when you're capturing a data and you're sending it 

147
00:11:21,576 --> 00:11:23,576
from place to place and you're sharing it,

148
00:11:23,619 --> 00:11:29,776
if somebody opens it up in a different type 
of packet analyzer they may not

149
00:11:29,776 --> 00:11:33,538
be able to specifically read everything
 that you are sending them.

150
00:11:33,538 --> 00:11:37,357
So just be aware of that. 
Another concern is time zones.

151
00:11:37,357 --> 00:11:42,689
If it does, consider time zones,
so if you're sending it around

152
00:11:42,682 --> 00:11:45,986
it will be something that they can read.

153
00:11:45,987 --> 00:11:49,749
Just be aware that if you're capturing something 
in a different time zone

154
00:11:49,749 --> 00:11:52,827
to make sure that you understand 
that it is from a different time zone.

155
00:11:52,827 --> 00:11:58,661
So that you can re-adjust it manually for yourself 

156
00:11:58,660 --> 00:12:03,342
when you're troubleshooting with it.

157
00:12:03,339 --> 00:12:05,704
Ok, I was looking in the chat forum and there was a

158
00:12:05,704 --> 00:12:09,403
couple of questions that were asked, 
let me just review.

159
00:12:09,413 --> 00:12:15,342
Ok, so back with the timestamps.

160
00:12:15,342 --> 00:12:18,903
So the question was - you know, 
when you're, when you're doing this stuff

161
00:12:18,903 --> 00:12:22,255
can you troubleshoot the entire transaction?

162
00:12:22,255 --> 00:12:28,428
Yes, when we get more into the flowgraph,
 we can see the TCP handshake 

163
00:12:28,458 --> 00:12:32,247
and how all that stuff works and we'll be able 
to look at the timing in between that.

164
00:12:32,247 --> 00:12:39,491
Just as a general rule of thumb,
if you pull up your Wireshark capture

165
00:12:39,491 --> 00:12:45,757
and you look at it as we did before, 
you can see in the left-hand side here

166
00:12:45,757 --> 00:12:48,404
of the window, the time column. 

167
00:12:48,396 --> 00:12:53,735
And you could see as you're doing 
each piece of the transaction, here's a get.

168
00:12:53,724 --> 00:12:57,868
So, obviously, it's doing a request and you can see

169
00:12:57,855 --> 00:13:00,169
when it goes through and post

170
00:13:00,184 --> 00:13:03,419
so you can check to see how long it's taking.

171
00:13:03,419 --> 00:13:08,358
And, generally, anything, you know, over let's say,

172
00:13:08,358 --> 00:13:14,166
forty or fifty milliseconds to post something is probably 

173
00:13:14,150 --> 00:13:19,548
not very good depending on your connection.
That was also another consideration.

174
00:13:19,548 --> 00:13:25,969
So one of the other tools that we were looking at
before we, we closed out this session was

175
00:13:25,958 --> 00:13:27,428
And I'll pull this up now...

176
00:13:27,428 --> 00:13:30,917
was other tools that you can use to validate

177
00:13:30,917 --> 00:13:35,789
specifically, what is being done and 
what pages are being done?

178
00:13:35,789 --> 00:13:39,102
So, there's tools out there that will allow you

179
00:13:39,102 --> 00:13:42,984
to, you know, pull down
the entire cascading style sheet.

180
00:13:42,984 --> 00:13:49,046
There's things that will allow you 
to accelerate your, your service

181
00:13:49,032 --> 00:13:52,306
 so you're not pulling down a ton of little packets.

182
00:13:52,306 --> 00:13:55,639
There's things that can be done to accelerate this,

183
00:13:55,644 --> 00:13:58,307
to reduce the amount of gets.

184
00:13:58,304 --> 00:14:04,316
So, there's things that can be done 
to increase the performance here.

185
00:14:04,316 --> 00:14:07,643
But just in Wireshark, the realm of wireshark

186
00:14:07,643 --> 00:14:12,541
if you want to look at the actual data
and check out and see what's happening here

187
00:14:12,541 --> 00:14:18,560
you can validate from one step to the next
exactly how long it's taking with timestamps.

188
00:14:18,560 --> 00:14:24,303
So, it's important to understand timestamps.

189
00:14:24,303 --> 00:14:28,622
It's something that will help you 
when you're troubleshooting because

190
00:14:28,622 --> 00:14:35,791
as an example, let's say, you're looking at 
a transaction from a client to a server.

191
00:14:35,791 --> 00:14:37,791
One of the things that you could do is

192
00:14:37,791 --> 00:14:41,124
run a Wireshark capture at the client, like we did here.

193
00:14:41,124 --> 00:14:43,723
If you have access, you can run one at the server

194
00:14:43,723 --> 00:14:45,487
and you can do a compare.

195
00:14:45,487 --> 00:14:51,038
And take a look to see exactly what's going on
within a specific set of time

196
00:14:51,038 --> 00:14:54,052
so that you can see where the hang up might be 

197
00:14:54,042 --> 00:14:57,410
or where the performance hit may be.

198
00:14:57,427 --> 00:15:01,310
We were talking again about that performance hit.

199
00:15:01,310 --> 00:15:04,626
One of the key things that we were discussing

200
00:15:04,626 --> 00:15:08,674
and we were talking about, 
one of this I posted in the forum, was that

201
00:15:08,674 --> 00:15:13,902
IO is a big thing. So if you're, let's say,
 you have a disc drive on the local server

202
00:15:13,897 --> 00:15:16,731
wherein the read-write times are poor

203
00:15:16,731 --> 00:15:23,997
that will potentially show as slow performance
when you're accessing a website

204
00:15:23,997 --> 00:15:28,260
if it's, if the system doesn't have enough memory.

205
00:15:28,260 --> 00:15:32,919
If the NIC card is having an issue, 
let's say, it's not on a gig

206
00:15:32,919 --> 00:15:38,312
and it's on a fast ethernet and 
you see a lot of problems

207
00:15:38,312 --> 00:15:40,825
where it's actually buffering that traffic.

208
00:15:40,825 --> 00:15:43,394
There's a lot of things that you would look at to see 

209
00:15:43,404 --> 00:15:47,793
specifically if you had a performance issue outside.

210
00:15:47,808 --> 00:15:53,852
But this in Wireshark, 
this example is one of those things

211
00:15:53,852 --> 00:15:58,274
where you may be able to get an understanding
of where you need to look.

212
00:15:58,274 --> 00:16:03,742
So as we had mentioned before,
 if you see long periods of time

213
00:16:03,742 --> 00:16:08,462
or you see tons of get requests, 
it might be something where

214
00:16:08,462 --> 00:16:15,369
it's just not able to provide you the paging time
 or it's sending way too much traffic

215
00:16:15,369 --> 00:16:19,188
and you're not getting it back in time.

216
00:16:19,188 --> 00:16:22,563
So, those are some of the things that you can check.

217
00:16:22,563 --> 00:16:27,130
Not only capturing it in Wireshark 
and giving you clues to where to look

218
00:16:27,130 --> 00:16:30,530
but specifically, do you have a problem with a client?

219
00:16:30,530 --> 00:16:32,449
Do you have a problem on the server?

220
00:16:32,449 --> 00:16:37,409
You know, do you have problem in between on the network?

221
00:16:37,409 --> 00:16:46,458