Upload
sachidananda-sahu
View
109
Download
7
Embed Size (px)
Citation preview
Wiresark, Tcpdump and
Network Performance ToolsSachidananda Sahu
AGENDA• INTRODUCTION
• WHY AND HOW TO ANALYSE PACKET ?
• FUNDAMENTALS OF ANALYSING NETWORK PACKETS
• PACKET ANALYSIS TOOLS TCPDUMP, TSHARK AND WIRESHARK
• WIRESHARK DESIGN FRAMEWORK
• ANALYZING PROTOCOL USING WIRESHARK
• FILTERS AND STATISTICS IN WIRESHARK
• FUNDAMENTALS OF MEASURING NETWORK PERFORMANCE
• NETWORK PERFORMANCE MEASUREMENT TOOLS BMON, IPERF
• Q & A
• CONCLUSION
• REFERENCES
Radisys Corporation - CONFIDENTIAL
Introduction• In this present era most of the devices are connected with internet.
• They should be AVAILABLE always
• They should be RELIABLE always
• They should PERFORM better always
• Consider a simple home network
• Consider this real time complex network
• Think about a situation if there is problem in one device ?
• So we need some tools • Which can help us to debug , monitor, analyse the data.
• Which can also measure performance and also can give us statistical info.
Image Source: makeuseof.com
Image Source: afnog meet
Why and How to analyse packet ?
Why to Analyse ?
Analyze network problems
Detect intrusion attempts
Identify network misuse
Content monitoring
Bandwidth usage analysis
Gathering network status
How to Analyse ?
Sniff the packets
Analyze the Protocol/Packets
Monitor the Packets
Tools To Analyse ?
Tcpdump, Tshark, wireshark
Nagios, Splunk, Total Network Monitor
And many more …
Fundamentals of analyzing network packets
Switch OS BufferNIC DiskApplicatio
n Buffer
Visualization of a packet in a system
Visualization of data at different layer
Places to analyze packet
Matryoshka doll
Packet Analysis Tools Common points
They act as protocol analyzer
They able to understand the protocols and show us packet by packet.
They relate packets to give info about sequence of packets.
They apply filter to analyze packet of interest.
Tcpdump
Unix-based command-line tool used to intercept packets.
Supports most of the protocols tcp,udp, icmp and many more …
Tshark
Same unix based command line tool
Similar to tcpdump in behavior and option
It also supports extra protocols and new options
Wireshark
Graphical version of Tcpdump/Tshark.
Wireshark has both qt version and gtk version for graphics.
Wireshark Design Framework
Wireshark Traffic Handling
Wireshark System Overview
For the love of Command Line …
Tcpdump/tshark options –D: Shows all interfaces available
-i <interface>
tcpdump –i any <protocolname>
-w <FileToWrite>
-r <ReadFromFile>
-Y <protocolname>
-c <No of packets>
-V show all information about the packets
capinfo <capture filename>
tcpdump –I <interface> host <ipaddress>
-q –z expert shows details of packet staticstics
-q –z expert, error
-q –z expert, hosts
-q –z io, stat,5
For the love of Graphical Interface …
Packet List Panel
Packet Details Panel
Packet Byte Panel
Packet Filter
Let’s
start
Wireshark,
And see the
packet
you are
sending and
receiving in
your system
…
Analyzing a TCP Based Application
Field’s under interest
• Source IP
• Source Port
• Destination Ip
• Destination Port
• Data Transmitted
Image Source: superuser.com
Wireshark Filters
Tools generally capture packets of all types(protocol/host/port etc ) in which we may not be interested most of the time
Filtering in tools helps us to capture/view packets of our interest.
Capture Filter
Capture only interested packets, done during capture phase only
Used to reduce the size of a raw packet capture
Capture filter is nothing but what we do during tcpdump/tshark
tcpdump <protocolname>
Capture->Capture Filters : Add/Delete or select predefined filters
host 192.168.10.2
tcp src port 9000
tcp port 9000 and not src host 192.168.10.2
Display Filter
Capture all, but show only interested packets, applied after capturing all.
Used to hide some packets from the packet list.
Display filter can be applied any time in the wireshark GUI
ip.addr == 192.168.10.2
tcp.port in { 80,12000, 24 }
tcp.port == 80 || tcp.port == 12000 || tcp.port == 24
Wireshark Statistics
Wireshark provides a wide range of network statistics.
Number of captured packets in a session
Number of specific protocol packet (HTTP requests and responses) captured
Statistics -> Summary - overall summary of the packet capture
Statistics -> Protocol Hierarchy - breakdown of the various protocols
Statistics -> Conversations - list of each individual “conversation” between endpoints
Statistics -> Endpoints - list of source and destination addresses
Statistics -> Service Response Time - display the time between a request and it’s
response
Statistics -> Flow Graph – Showing the flow of traffic
Fundamentals of measuring network performance
It is the analysis and review of collective network statistics, to define the quality of services offered by
the underlying computer network.
It helps to review, measure and improve the network services.
Broadly, network performance is measured by reviewing the statistics and metrics of following
parameters.
Speed
Bandwidth
Network Delay,
Latency
Data Loss
Throughput
Fundamentals of measuring network performance …
Fundamentals of measuring network performance
Terms for network performance and monitoring
Speed – Available circuitry data
Network bandwidth or capacity - Available data transfer
Network throughput - Amount of data successfully transferred over the network in a given time
Network delay, latency and jittering - Any network issue causing packet transfer to slow than usual
Data loss and network errors - Packets dropped or lost in transmission and delivery
Packet per second - Number of packets of data per second that can be processed before dropping data
Connection per second - Rate at which a device can establish state parameters for new connections.
Transaction per second - Number of complete actions of a particular type that can be performed per second.
Maximum concurrent connection per second - Total number of sessions (connections) about which a device can
maintain state simultaneously.
Tools for measuring network performance and monitoring
bmon, iperf, iftop, vnstat , nload etc … and more at http://www.slac.stanford.edu/xorg/nmtf/nmtf-tools.html
bmon
It’s a text based badwidth monitor and rate estimator tool which captures bandwidth related statistics and display them visually over command prompt.
Installing
sudo apt-get install bmon
Repo : https://github.com/tgraf/bmon
man bmon
Options
-p : specific interface
-r : read interval from source
-R : update rate per counter
Input modules
Netlink ,Proc ,Netstat
Output modules
Curses, Ascii, Format, Null
Usage
bmon –p eth0,eth1
bomn –p eth0 –R 5
bmon –p eth*,!eth2
iperf It measures the bandwidth and the quality of a network link. Jperf also does the same with additional graphical interface.
It creates TCP,UDP,SCTP data streams by tuning various parameters and gives idea about network’s bandwidth, delay, jitter and data loss values.
Currently updated version is iperf3
source code https://github.com/esnet/iperf
sudo apt-get install iperf3
Iperf3 options
-s server
-c client
-t test duration timing
-i periodic interval report
-f [kmKM] formatting option
-d, -r bi-directional bandwidths
-p Specific port number
-w TCP window size
-b bandwidth setting
-u set to udp
-M maximum segment size
-P parallel streams
Iperf usage
Usage
iperf3 –s
Iperf3 –c <serverIp>
Iperf3 –c <serverIp> -f K
Iperf3 –c <serverIp> -r
Iperf3 –c <serverIp> -d
Iperf3 –c <serverIp> -t 15
Iperf3 –c <serverIp> -i 2
Iperf3 –c <serverIp> -w 1200
iperf3 -c 10.1.1.1 -P 2
iperf3 –s –p 8001Iperf3 –c <serverIp> -p 8001
Iperf3 –c <serverIp> -u –b 1M
iperf3 –sIperf3 –c <serverIp> -M 1300 -m
iperf3 –s -u
Q & A
Conclusion
Tools helps us to debug the network better.
Tools helps us to understand the problem.
Tools helps us to know the current performance.
Tools helps us to know about usage utilization.
Tools helps us to know about any security issues present in network.
Tools helps us to experiment the new network technologies.
References
www.wireshark.com
www.iperf.fr
https://www.tecmint.com/
http://www.cisco.com/c/en/us/about/security-center/network-performance-metrics.html
https://openmaniak.com/
SharkFest 2014, Andrew Brown
Man page of tcpdump, wireshark, bmon, iperf
Cliff Zou’s wireshark lecture
Rich Macfarlane’s Lab
Packet analysis using wireshark by Lisa Bock, Pennsylvnia College of Tech.
Wireshark 101 ppt By Ravi Bhoraskar & book by Laura Chappell
Some images, texts borrowed/stolen generously from all over the internet
and some personal experience …
Life is easy with wireshark …
Happy Wiresharkking
Thank You