1
00:00:00,000 --> 00:00:08,457


2
00:00:08,457 --> 00:00:12,859
Statistics and troubleshooting with them is basically

3
00:00:12,859 --> 00:00:16,807
Wireshark takes a whole bunch of information,

4
00:00:16,807 --> 00:00:21,981
provides it to you in a way in summaries
or gives you tools so that you can do baselines.

5
00:00:21,978 --> 00:00:25,887
You can get general information about 
everything that's going on

6
00:00:25,895 --> 00:00:30,540
so that you can make some, 
some decisions on what you're seeing and

7
00:00:30,540 --> 00:00:35,039
how that is going to affect your troubleshooting process.

8
00:00:35,031 --> 00:00:39,376
So, some of the most helpful ones
which we we've already touched on

9
00:00:39,376 --> 00:00:41,279
and as we were going through the other modules,

10
00:00:41,279 --> 00:00:44,536
and we will continue to touch on
through future modules

11
00:00:44,538 --> 00:00:48,877
and hopefully, you get into
 the habit of using if you do not do so already

12
00:00:48,877 --> 00:00:57,277
is these summaries and these conversation 
summaries to show you specifically

13
00:00:57,271 --> 00:01:03,268
what's on your network, what's speaking and 
where, what it's speaking to.

14
00:01:03,268 --> 00:01:08,001
What's communicating with what and 
what direction?

15
00:01:08,001 --> 00:01:16,429
And other important pieces of information 
such as what protocols are running,

16
00:01:16,429 --> 00:01:20,612
what is, what was captured,
helps you build out your filters.

17
00:01:20,612 --> 00:01:25,494
Helps you to come to some conclusions 
about what may be running on your network.

18
00:01:25,494 --> 00:01:33,366
There is a whole subset of servers' 
response time graphs which allows you to plot

19
00:01:33,366 --> 00:01:42,167
specific things, like how, if you're using 
an application, how it's actually being seen

20
00:01:42,167 --> 00:01:46,356
as a roundtrip or something of that nature.

21
00:01:46,356 --> 00:01:51,015
And it's plotted on a graph. 
You can find this in statistics.

22
00:01:51,015 --> 00:01:55,017
And you can use your I/O graph
where you can add more filters.

23
00:01:55,017 --> 00:01:59,928
And you can use flowgraphs
so that you can see traffic flow, 

24
00:01:59,928 --> 00:02:03,567
traffic flow patterns and this is extremely helpful

25
00:02:03,572 --> 00:02:09,123
when looking at TCP's, 
specifically the TCP handshake.

26
00:02:09,123 --> 00:02:15,848
So, we briefly touched on it before
as we were talking about filters

27
00:02:15,848 --> 00:02:20,699
because I thought that it might be relevant
to helping you build filters but

28
00:02:20,697 --> 00:02:24,459
this is really where we're going to go 
into this menu and talk about 

29
00:02:24,481 --> 00:02:27,190
what you can find here.

30
00:02:27,237 --> 00:02:32,046
So, on this menu, you could select
from about a dozen tools

31
00:02:32,046 --> 00:02:36,201
which will allow you to do some 
statistical analysis with Wireshark.

32
00:02:36,201 --> 00:02:41,503
And one of the key things here is that 

33
00:02:41,507 --> 00:02:43,763
some of the tools that we already talked about

34
00:02:43,768 --> 00:02:48,551
are found on this, in this menu as well as some others  

35
00:02:48,551 --> 00:02:54,469
which we'll, we will get into in our future modules
as we troubleshoot some specific problems.

36
00:02:54,469 --> 00:02:59,400
For example, if we're looking at 
some wireless LAN problems,

37
00:02:59,400 --> 00:03:07,573
we will use the wireless LAN traffic option
to see specific SSID's as an example.

38
00:03:07,575 --> 00:03:13,613
But regardless, it should be something 
that you do get in a habit of using.

39
00:03:13,613 --> 00:03:20,276
Something that you're comfortable with and 
something that you, you test with

40
00:03:20,275 --> 00:03:23,585
so that you can see specific options that are available.

41
00:03:23,585 --> 00:03:29,436
So what I'll do is I will show you 
some of the things here that we can do.

42
00:03:29,436 --> 00:03:32,911
So let me clear out my filter from before.

43
00:03:32,911 --> 00:03:36,598
And the first thing I want to do is 
I want to look at the summary.

44
00:03:36,598 --> 00:03:42,591
So this is my capture summary. 
It's everything that's in the capture.

45
00:03:42,591 --> 00:03:49,649
As you can see here, 
what's helpful is the, the name and location 

46
00:03:49,651 --> 00:03:52,065
of the file or the capture itself,

47
00:03:52,067 --> 00:03:58,925
how big the capture is, 
the file format which is pcapng.

48
00:03:58,925 --> 00:04:02,266
We will talk about file formats in the last module.

49
00:04:02,266 --> 00:04:09,217
But what's very important about that module 
is that there's different formats you can save in

50
00:04:09,217 --> 00:04:13,557
and if you save in the older format such as pcap,
as an example

51
00:04:13,550 --> 00:04:17,507
 this capture file comments or 
packet comments will not 

52
00:04:17,515 --> 00:04:20,957
translate over so you may miss some information.

53
00:04:20,959 --> 00:04:26,235
It will tell you date and time again 
as we've talk about in the future.

54
00:04:26,235 --> 00:04:30,439
I'm sorry, in a, we talked about in the past module.

55
00:04:30,439 --> 00:04:34,429
This is critically important to make sure that the 

56
00:04:34,434 --> 00:04:38,132
timing on your system is accurate, 
maybe use NTP.

57
00:04:38,146 --> 00:04:41,429
Otherwise, you're going to have incorrect time.

58
00:04:41,429 --> 00:04:45,259
How long the capture was, 
where it was caught, and so on.

59
00:04:45,258 --> 00:04:49,763
So there's a lot of information here that you can glean

60
00:04:49,763 --> 00:04:54,993
specifically the amount of packets
and this is a good one right here,

61
00:04:54,993 --> 00:05:00,023
between first and last packet, 
your average time in seconds.

62
00:05:00,023 --> 00:05:05,793
Now, where is this playing 
to being helpful is that if you're just 

63
00:05:05,791 --> 00:05:09,821
capturing a simple conversation that you were running

64
00:05:09,822 --> 00:05:13,584
a pre-capture filter on and you knew that you're isolating

65
00:05:13,584 --> 00:05:18,019
that conversation, you might be able to find right there

66
00:05:18,019 --> 00:05:22,165
that that entire conversation took X amount of seconds.

67
00:05:22,165 --> 00:05:29,210
So, there's some things that you could do in, 
to get the information in here more accurate.

68
00:05:29,210 --> 00:05:36,708
And this could be very helpful in determining
some high level causes of an issue.

69
00:05:36,708 --> 00:05:43,969
So also, there's some comments summary,
 so if you made comments in the packet,

70
00:05:43,969 --> 00:05:48,828
you will be able to pull them there and
it's nice because you can either save it as or

71
00:05:48,828 --> 00:05:52,489
copy and save as. You can save this information,

72
00:05:52,489 --> 00:05:54,626
paste it into a report.

73
00:05:54,632 --> 00:06:01,236
You could show address resolution,
the protocol hierarchy which we already covered

74
00:06:01,236 --> 00:06:06,320
in a previous module. It'll show you 
your top talking information,

75
00:06:06,320 --> 00:06:11,063
your data on your network and what protocols were in use.

76
00:06:11,063 --> 00:06:19,191
You can see your conversations. 
This was critically important

77
00:06:19,191 --> 00:06:25,285
for us to figure out where 
to apply a conversation filter.

78
00:06:25,285 --> 00:06:30,553
As we mentioned before, we can filter directly on, ok?

79
00:06:30,553 --> 00:06:36,621
Other important statistics is the end point list.

80
00:06:36,621 --> 00:06:38,993
You can find what end points are in here.

81
00:06:38,993 --> 00:06:43,619
You can search and find what
 your packet links are. 

82
00:06:43,619 --> 00:06:47,475
One of the helpful things in here, 
sorry open on the wrong screen,

83
00:06:47,475 --> 00:06:53,695
is that when you search for packet links,
why this could be helpful to you,

84
00:06:53,695 --> 00:07:02,240
is that we essentially would not want 
a ton of tiny packets on our network.

85
00:07:02,240 --> 00:07:07,593
It just makes everything work harder. 
It inundates buffers.

86
00:07:07,593 --> 00:07:14,009
What we would rather have is 
something in a correct MTU size

87
00:07:14,008 --> 00:07:19,092
and or jumbo frames if you have everything 
enabled across your network.

88
00:07:19,092 --> 00:07:24,700
So it all comes in one conversation 
and it's not inundated with, you know,

89
00:07:24,700 --> 00:07:30,586
packets to increase I/O. 
And as you can see, in this summary,

90
00:07:30,594 --> 00:07:32,835
there's actually a lot of little packets.

91
00:07:32,842 --> 00:07:37,838
So that might be something that you want 
to look at as you're troubleshooting.

92
00:07:37,838 --> 00:07:39,838
You may want to say, well you know what,

93
00:07:39,838 --> 00:07:44,430
maybe poor performances because
 there's a lot of small packets.

94
00:07:44,430 --> 00:07:51,830
You can build an I/O graph.
 This will show you some specific things.

95
00:07:51,830 --> 00:07:55,943
We do a module on this so I don't want 
to go too deeply into it here.

96
00:07:55,943 --> 00:07:59,795
But you can filter specifically on some traffic,

97
00:07:59,795 --> 00:08:06,308
so I believe there's some HTP in here and 
I can see in here some spiking.

98
00:08:06,308 --> 00:08:13,834
So it allows me to, to do things with it 
so that I can really see

99
00:08:13,834 --> 00:08:19,316
what's going on and I can change the way I see it.

100
00:08:19,316 --> 00:08:26,473
But you can get these, these very quickly
from your statistics menu.

101
00:08:26,477 --> 00:08:34,185
You can do a compare.
You can pull up specific HTTP information.

102
00:08:34,185 --> 00:08:39,792
The requests as an example, you can do your TCP

103
00:08:39,792 --> 00:08:43,150
or your UDP streams, graphs from here.

104
00:08:43,150 --> 00:08:47,198
One thing to mention is if you're highlighting a packet

105
00:08:47,206 --> 00:08:50,918
in your packets list pane, and it happens to be

106
00:08:50,924 --> 00:08:58,781
a packet that is TCP, it will be grade out 
and you will not be able to see it.

107
00:08:58,789 --> 00:09:02,215
So that may be something that you want to take heed of.

108
00:09:02,215 --> 00:09:10,889
Or if it's UDP, it will allow to pull up 
a graph of the actual traffic.

109
00:09:10,897 --> 00:09:14,819
And you can do some statistical analysis on this.

110
00:09:14,819 --> 00:09:20,642
The flow graph, this is very helpful.

111
00:09:20,642 --> 00:09:24,922
We'll just look at all packets at TCP flow.

112
00:09:24,922 --> 00:09:30,388
Well we'll also have another module on this so 
we won't get very deep into it but

113
00:09:30,388 --> 00:09:36,521
where this is helpful, it will let you know 
from what particular IP to another particular IP.

114
00:09:36,521 --> 00:09:43,709
Packet by packet, specifically showing you 
the time deltas, exactly what's taking place.

115
00:09:43,709 --> 00:09:48,598
So you can see, for example, a large amount of resets

116
00:09:48,598 --> 00:09:51,032
if that's something that was problematic.

117
00:09:51,035 --> 00:09:54,846
Or you may see duplicate acts if that,

118
00:09:54,841 --> 00:09:58,695
you believe that it shouldn't be re-transmitting as much.

119
00:09:58,695 --> 00:10:02,416
So there's a lot of information
that you can glean from in here.

120
00:10:02,416 --> 00:10:11,316
And so on and so forth. So, we don't want
 to go deeply into each one of those tools

121
00:10:11,316 --> 00:10:13,316
because we have a separate module on them but

122
00:10:13,316 --> 00:10:19,707
it was something where we wanted to show you 
that yes, you can, in fact

123
00:10:19,707 --> 00:10:24,736
pull up some key data and statistics from here.

124
00:10:24,736 --> 00:10:30,194
And you can look at your, your capture as a whole.

125
00:10:30,194 --> 00:10:35,200
And that's essentially what we really want 
out of, out of this menu, is the tools.

126
00:10:35,200 --> 00:10:39,250
We want to say, ok well, as a whole 
what does this capture look like

127
00:10:39,250 --> 00:10:44,523
in the realm of protocols, in the realm of errors,

128
00:10:44,523 --> 00:10:49,963
in the realm of objects, in the realm of 
whatever it is that you want to see

129
00:10:49,963 --> 00:10:54,124
as a menu option, what does it look like as a whole.

130
00:10:54,124 --> 00:11:00,070
And then we can actually drill down from there
into key areas of it which is extremely helpful.

131
00:11:00,070 --> 00:11:06,042
It's actually, this is very helpful for 
when you run a capture for the first time.

132
00:11:06,042 --> 00:11:13,546
A lot of times it would be, it would be suggested 
that you open this menu up.

133
00:11:13,554 --> 00:11:17,569
And you really take a deep dive into 
the overall of what's going on.

134
00:11:17,569 --> 00:11:20,874
So that you can then decide how you want to drill down.

135
00:11:20,883 --> 00:11:27,842
This is very helpful for large captures
that you may not know exactly what the issue is.

136
00:11:27,844 --> 00:11:31,236
You may not, not even know 
what's running on the network

137
00:11:31,250 --> 00:11:33,095
because you may not be familiar with it

138
00:11:33,095 --> 00:11:35,095
or you may just not know that it's there.

139
00:11:35,095 --> 00:11:44,531
So, Wireshark will allow you to do statistics,

140
00:11:44,531 --> 00:11:49,149
statistical analysis from the data we find it 
through the statistics menu.

141
00:11:49,149 --> 00:11:53,340
And some of the very helpful, very helpful things 

142
00:11:53,340 --> 00:11:58,039
we can glean from this menu 
and it's options and it's tools,

143
00:11:58,039 --> 00:12:05,703
is what protocols are running on your network
that Wireshark has captured from that segment.

144
00:12:05,739 --> 00:12:08,684
What are the top talkers, who's talking the most

145
00:12:08,684 --> 00:12:13,719
and from whom to whom, and is it a one to many or 

146
00:12:13,721 --> 00:12:16,066
many to one type conversation?

147
00:12:16,074 --> 00:12:21,935
Is it a unicast, what type of conversation is it?

148
00:12:21,935 --> 00:12:26,690
And we have some tools in there that we will get into

149
00:12:26,697 --> 00:12:29,225
in more detail but we have specific tools

150
00:12:29,245 --> 00:12:36,861
that will allow us to gather more information
about the capture that we just took.

151
00:12:36,861 --> 00:12:42,058
2 notes - remember, things may be grade out.

152
00:12:42,058 --> 00:12:46,546
They'll be grade out if they're not in option 
so if you don not have any wireless traffic

153
00:12:46,546 --> 00:12:55,407
do you, wireless LAN or WLAN traffic 
tool will not be available to you so

154
00:12:55,407 --> 00:13:02,406
be wary that if it's grade out it's for a reason,
it's because it's not relevant to that capture.

155
00:13:02,406 --> 00:13:09,410
And make sure that as you're going
 through your capture you're making notes.

156
00:13:09,410 --> 00:13:15,495
You can paste a lot of this stuff into a report or,
or export it into a report

157
00:13:15,495 --> 00:13:20,771
to give you an overall baseline of your, your network 

158
00:13:20,778 --> 00:13:24,302
operating under good conditions and 

159
00:13:24,317 --> 00:13:29,911
if operating at a performance degradation, 
you can look at both reports

160
00:13:29,911 --> 00:13:34,929
and or both captures and figure out statistically 
what the differences are.

161
00:13:34,929 --> 00:13:42,482
And lastly, just remember, 
one of the key aspects of using this tool -

162
00:13:42,482 --> 00:13:47,202
let's find out what's running on our network,
what we're capturing.

163
00:13:47,202 --> 00:13:50,807
So that we can then further drill down into it.

164
00:13:50,807 --> 00:13:59,883
If we're not seeing, for example, SNMP
as you do not see in this particular statistics.

165
00:13:59,892 --> 00:14:06,544
Capture - you may not want to start 
worrying about how to build filters for it

166
00:14:06,543 --> 00:14:10,033
because it's likely that it's not there
in the capture to search for.

167
00:14:10,033 --> 00:14:15,884
So, hopefully that through this module,
 these tools and learning about them 

168
00:14:15,893 --> 00:14:21,013
has made it easier and more efficient 
for you to use Wireshark.

169
00:14:21,013 --> 00:14:25,339
Alright, so one of the questions in the chat are

170
00:14:25,336 --> 00:14:32,387
do we have scenarios of issues 
to go through and how we use Wireshark 

171
00:14:32,387 --> 00:14:34,387
to come to the conclusion of a problem?

172
00:14:34,387 --> 00:14:41,018
So, if you look at the syllabus, 
tomorrow is pretty much all that.

173
00:14:41,018 --> 00:14:46,071
We're going to go through voice, HTTP, 

174
00:14:46,071 --> 00:14:52,180
FTP, wireless, each module is a problem.

175
00:14:52,180 --> 00:14:55,991
And we'll look at Wireshark and figure out
how to solve that problem.

176
00:14:55,991 --> 00:15:01,637
So yes, today I'm prepping that in as we talk 
about the tools themselves.

177
00:15:01,637 --> 00:15:08,911
So as an example, we did bring up a DNS issue
 where the client could not communicate.

178
00:15:08,911 --> 00:15:12,363
It was in a large capture full of data.

179
00:15:12,363 --> 00:15:17,222
So we filtered out all the data 
that we did not need to see

180
00:15:17,222 --> 00:15:22,421
and we isolated the communication
adn showed the actual failure

181
00:15:22,421 --> 00:15:25,720
of the client being able to resolve DNS.

182
00:15:25,736 --> 00:15:29,345
So, yes, we do have scenarios.

183
00:15:29,364 --> 00:15:34,181
Today will be scenarios that are put in to the modules.

184
00:15:34,181 --> 00:15:38,183
Whereas tomorrow's, the modules 
each one of them is a scenario.

185
00:15:38,183 --> 00:15:42,343
So I hope that helps answer your question.

186
00:15:42,343 --> 00:15:46,500
Packet loss is a little tricky to capture.

187
00:15:46,500 --> 00:15:48,500
Wireshark will give you clues.

188
00:15:48,500 --> 00:15:52,550
One of the things that we're going to talk about
in the next module is using the flow graph

189
00:15:52,550 --> 00:15:56,007
which actaully the timing of that question is perfect

190
00:15:56,007 --> 00:15:59,470
because the flow graph is going to be able to show you

191
00:15:59,483 --> 00:16:06,775
specifically when you pick the TCP flow,
how well it's perform

192
00:16:06,783 --> 00:16:11,080
your application is performing.
So for example, if you're trying to 

193
00:16:11,080 --> 00:16:15,575
send a request to pull a webpage

194
00:16:15,575 --> 00:16:20,659
and you see in capture that
 the data keeps re-transmitting

195
00:16:20,659 --> 00:16:22,659
or you're getting duplicate acts or

196
00:16:22,659 --> 00:16:25,837
you're seeing a lot of re-transmissions,

197
00:16:25,837 --> 00:16:31,018
it's likely that, that something 
may be getting dropped somewhere.

198
00:16:31,018 --> 00:16:35,878
It could be something else 
but there's a way to, to isolate that 

199
00:16:35,881 --> 00:16:38,660
and the clue that, the clues that you're going to get

200
00:16:38,682 --> 00:16:40,902
may be from Wireshark's flow graph.

201
00:16:40,902 --> 00:16:44,002
So, we're going to get into that in the next section

202
00:16:44,002 --> 00:16:45,351
but just real quick,

203
00:16:45,351 --> 00:16:49,102
when you go to the statistics menu,
when you pull up flow graph,

204
00:16:49,102 --> 00:16:53,940
you can take a look at either all 
or displayed packets, the TCP flow,

205
00:16:53,940 --> 00:17:00,964
and it will show you a very detailed view 

206
00:17:00,964 --> 00:17:04,625
of exactly what's going on from source to destination.

207
00:17:04,625 --> 00:17:08,719
There's actually multiple IP's up here,
source to destination.

208
00:17:08,719 --> 00:17:10,719
That's what the arrow is showing you.

209
00:17:10,719 --> 00:17:13,158
And it will show all the TCP communication.

210
00:17:13,158 --> 00:17:17,340
Here I have a bunch of resets which could be an issue.

211
00:17:17,340 --> 00:17:21,612
If you see a ton of resets coming back, 
there's obviously something wrong there.

212
00:17:21,612 --> 00:17:30,098
If I see constant duplications of an act
that may be something's getting dropped

213
00:17:30,098 --> 00:17:34,929
and it has to resend it.
So, there's some granular filters

214
00:17:34,929 --> 00:17:39,567
you can look, put in which we covered in
another Q&A section.

215
00:17:39,567 --> 00:17:43,783
Or you can use something such as the flow graph

216
00:17:43,783 --> 00:17:48,124
to try to figure out what's going on
from one IP to another IP.

217
00:17:48,124 --> 00:17:50,698
And see if that gives you a hint.

218
00:17:50,698 --> 00:17:57,793
You can also go to the analyze menu 
and look at the Expert

219
00:17:57,793 --> 00:18:01,564
where it may tell you, as an example

220
00:18:01,564 --> 00:18:04,367
that you have duplicate acknowledgements.

221
00:18:04,367 --> 00:18:06,158
And you have many of them.

222
00:18:06,158 --> 00:18:12,723
They may be coming from the same IP,
source to destination.

223
00:18:12,723 --> 00:18:18,116
We have tons of suspected re-transmissions,
that may be an issue.

224
00:18:18,116 --> 00:18:22,081
We can have windowing problems 
where buffers are overloaded.

225
00:18:22,081 --> 00:18:29,869
So, all of these things
basically could relate to packet loss.

226
00:18:29,869 --> 00:18:35,877
And the more that you dig in to the tool 
and figure out specifically from one IP to another

227
00:18:35,877 --> 00:18:38,830
where you may think there's a performance issue

228
00:18:38,830 --> 00:18:44,009
by isolating re-transmissions, 
duplicated acknowledgements,

229
00:18:44,009 --> 00:18:49,567
windowing problems. If you see all these stuff
from something that's performing poorly

230
00:18:49,567 --> 00:18:54,991
it's likely that you may have some, some packet loss.

231
00:18:54,991 --> 00:19:02,918