- Where to capture有讲究
- Capture on host machine不好,不是真正packets on the wire
- Wireshark setup:
- 必须有time delta,
- TCP: seq + tcpLen = nextSeq, ACK
- TCP: winSize,必须有,scaleNum in 3-way handshake
- TCP: byteOnTheFlight
Sources:
- A youtube video - Using Wireshark to Solve Real Problems for Real People (by Kary Rogers)
- packetbomb.com
- packetbomb.com's "Fundamental Course"
Takeaways:
- Packet capture:
- Where matters
- Close to the source of complaint, capture all traffic w/o filter. If doing this in the network, have to figure out a smart way because of too much traffic.
- Near the servers, if out of the domain, on the edge where the traffic leave
- Both if possible
- How to capture:
- On the client machine: NOT a good idea
- wireshark, tcpdump, windump
- easy but not the real traffic on the wire, why?
- application -- kernel's tcp/ip stack -- pcap (where is wireshark) -- NIC -- network.
- for example, the packet before segmentation
- SPAN/Mirror
- TAP
- Hub??
- Wireshark setup (on my MAC wireshark 2.14)
- Wireshark -> Preference
- Layout
- Name Resolution: MAC, protoName, IP addr.
- Protocol -> TCP
- Column:
- [] means data not in packet but calculated
- 1. Add [time delta from previous displayed frame] to column
- right-click == apply as column
- 2. Add TCP's seq, Len, nextSeq, ACK to column.
- Easy to see if losing a packet
- 3. Add TCP's windowSize
- Scale # is ONLY in 3-way handshake, x 256
- 4. Add "Bytes in flight"
No comments:
Post a Comment