How to use Wireshark to capture a packet trace
This document (3892415) is provided subject to the disclaimer at the end of this document.
Environment
Situation
How to obtain a packet trace suitable for analysis by SUSE Support.
Resolution
Wireshark is a tool that allows packet traces to be sniffed, captured and analysed. Before Wireshark (or in general, any packet capture tool) is used, careful consideration should be given to where in the network packets are to be captured. Refer to the capture setup pages in the wireshark.org wiki for technical details on various deployment scenarios. If it is unclear which deployment scenario should be used to capture traces for a particular problem, consider opening a service request with SUSE Technical Services for assistance.
Obtain appropriate Wireshark package
Obtain a Wireshark package or installer for the operating system running on the system which is to be used for packet capture.
Wireshark is included in SUSE Linux products (for some products, under its old name, Ethereal). For other platforms, download a binary or installer from http://www.wireshark.org. With installers, ensure all product components are selected for installation.
Start Wireshark
Start Wireshark. On a Linux or Unix environment, select the Wireshark or Ethereal entry in the desktop environment's menu, or run "wireshark" (or "ethereal") from a root shell in a terminal emulator. In a Microsoft Windows environment, launch wireshark.exe from C:\Program Files\Wireshark.
Note that on Un*x systems, a non-GUI version of Wireshark called "tshark" (or "tethereal") may be available as well, but its use is beyond the scope of this document.
Configure Wireshark
After starting Wireshark, do the following:
- Select Capture | Interfaces
- Select the interface on which packets need to be captured.
- If capture options need to be configured, click the Options button for the chosen interface. Note the following recommendations for traces that are to be analysed by SUSE Technical Services:
- Capture packet in promiscuous mode: This option allows the adapter to capture all traffic not just traffic destined for this workstation. It should be enabled.
- Limit each packet to: Leave this option unset. SUSE Support will always want to see full frames.
- Filters: Generally, SUSE Support prefers an unfiltered trace.
- Capture file(s): This allows a file to be specified to be used for the packet capture. By default Wireshark will use temporary files and memory to capture traffic. Specify a file for reliability.
- Use multiple files, Ring buffer with: These options should be used when Wireshark needs to be left running capturing data data for a long period of time. The number of files is configurable. When a file fills up, it it will wrap to the next file. The file name should be specified if the ring buffer is to be used.
- Stop capture after xxx packet(s) captured: SUSE Technical Support would most likely never use this option. Leave disabled.
- Stop capture after xxx kilobyte(s) captured: SUSE Technical Support would most likely never use this option. Leave disabled.
- Stop capture after xxx second(s): SUSE Technical Support would most likely never use this option. Leave disabled.
- Update list of packets in real time: Disable this option if the problem that's being investigated is occuring on the same workstation as where Wireshark is running.
- Automatic scrolling in live capture: Wireshark will scroll the window so that the most current packet is displayed.
- Hide capture info dialog: Disable this option so that you can view the count of packets being captured for each protocol.
- Enable MAC name resolution: Wireshark contains a table to resolve MAC addresses to vendors. Leave enabled.
- Enable network name resolution: Wireshark will issue DNS queries to resolve IP host names. Also will attempt to resolve network network names for other protocols. Leave disabled.
- Enable transport name resolution: Wireshark will attempt to resolve transport names. Leave disabled.
- Now click the Start button to start the capture.
- Recreate the problem. The capture dialog should show the number of packets increasing. If not, then stop the capture. Examine the interface list and pick the one that is not associated with the WANIP. It will probably be a long alpha-numeric string. If packets are still not being captured, try removing any filters that have been defined.
- Once the problem which is to be analyzed has been reproduced, click on Stop. It might take a few seconds for Wireshark to display the packets captured.
If the destination address is always displayed as FFFFFFFF (IPX) or always ends in .255 (IP) then all that has been captured is broadcast traffic. This is a useless trace.
This usually occurs when another machine is being traced (to start the trace while the target machine is powered off, in order to capture the bootup process). The capture setup needs to be reconsidered - port mirroring on the switch may need to be set up, or a dumb hub may need to be used to make the traffic reach the sniffing system. (Some devices advertised as "hubs" are in fact switches that may have the intelligence to prevent the workstations from seeing each other's packets; with these, getting a good trace may not be possible)The Wireshark website has a good FAQ on this subject. Please refer to http://www.wireshark.org/faq.html#q7.1
- Save the packet trace in any supported format. Just click on the File menu option and select Save As. By default Wireshark will save the packet trace in libpcap format. This is a filename with a.pcap extension. Use this default for files sent to SUSE.
- Create a trace_info.txt file with the IP and MAC address of the machines that are being traced as well as any pertinent information, such as:
- What is the problem? (when did it start? steps to reproduce? any other pertinent information)
- What steps were traced?
- Give names of the servers and files being accessed.
- If analysis of the trace has already been attempted, please provide SUSE Support with analysis notes.
For example: Packets 1-30 are boot. Packets 31-500 are login. Packets 501 to 1,000 is my application loading. Packet 1,001 to 1,500 is me saving my file. The error occurred at approximately packet 1,480. - Give the MAC addresses of hardware involved? (Workstation, servers, printers ...)
- What is the workstation OS and configuration?
- What version of client software is running?
- If it works with one version of the client (or a particular server patch), then get a trace of it working, and a trace of it not working.
- What patches have been applied?
- What is the configuration of the network? Are there routers involved? If so, what kind of routers?
For SUSE Support to analyze a packet trace, a Service Request needs to have been opened. Refer to http://www.suse.com/support/ for details on how to open a Service Request.
Traces smaller than about 5 megabyte can be attached to an open service request through the service request web interface.
Larger traces should be uploaded to SUSE's FTP server. Zip the traces and a readme.txt with a description of what you traced, using Case number.zip as a naming convention, e.g.2345678.zip. Upload the file to the ftp server. For a list of ftp server see TID 000019214 Supportconfig Self Service via SCC/FTP . Once the file has been uploaded please notify the assigned support technician of the availability of the files by updating the incident through the service request web interface or by sending an email to the Service Request.
Additional Information
A common procedure for taking a trace is to get two traces, one of a workstation that works and one of a workstation failing. When doing this, it is important that the exact same steps are followed in each trace so they can be accurately compared. The following steps are useful in this case:
- Follow the steps above to set up the trace of a failing workstation.
- Start the trace, then turn on the target workstation. Once login has been completed and the operating system has finished loading, then write down the packet number. (Shown on the Wireshark capture windows or the LANalyzer dashboard).
- As the error is recreated, between each step pause and make a note of the packet number once that step has completed. For instance, load the application -write down packet number, open a file -write down packet number etc. etc.
- Once the steps to reproduce the issue have been completed, stop the trace, save it and send the trace in to SUSE for analysis. Then repeat the EXACT SAME steps for the workstation that works. Include a note indicating the steps that were followed and the packet number at the end of each step for each trace.
TID history
Formerly known as TID# 10070788.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:3892415
- Creation Date: 25-Mar-2008
- Modified Date:23-Feb-2021
-
- SUSE Linux Enterprise Desktop
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com