Chris Greer’s Wireshark Nightmare
Packet Pioneer Chris Greer reveals his own Wireshark nightmare while dealing with trace files in the popular analyzer.
“I’m a big user of Wireshark,” says Chris Greer, network and application analyst and founder of Packet Pioneer. “I own and operate an independent consulting company. What I do is I sit on the beach in Costa Rica and people send me trace files and I analyze trace files and I send the trace files back to them.”
Recently, Greer took a break from the beach to attend one of the most popular packet-capturing conferences and posited an important question to the user base.
“I was at Shark Fest, the Wireshark user’s conference,” he says. “I got to thinking: Why would a Wireshark user begin to think about a solution like Observer GigaStor? To resolve problems, we need packets. We need to get the packet-level detail to resolve the issues that we are meeting today, not just with network performance but there is also a huge amount of security and IoT stuff coming up. We need to know about all these things and Wireshark is one of the best tools to help us do that. But there are a few weaknesses with Wireshark.”
With most users firing up the program on laptops and analyzing trace files on the fly, there are practical limits to the amount of traffic volume that can be handled. With the elusiveness of some of these issues, in order to be cost-effective, organizations seek to cast a wider net.
Wireshark on a Laptop
“If we just take Wireshark and install it on a laptop, and put it on a link, we can’t capture forever,” Greer says. “We can ring buffer, we can get captures, to the limit that the laptop can capture. But today we need long-term capture because problems are intermittent. We need to be able to catch it in the act. I think that’s the most difficult thing, just being there, on the link, when the problem is occurring. How many times have you heard of a problem, someone complains of something, by the time you run out there to analyze it, the problem’s gone? For me, an organization has flown me up and they’ve had an issue. They fly me up and the problem disappears. I leave and the problem comes back. Long-term, stream-to-disk packet capture is what we need.”
The problem with long-term traffic capture is that it requires a lot of space. This is where some of these lighter-duty solutions become, as Greer explains, a network nightmare.
“In terms of capacity, let’s just talk about a 1 gigabit per second link,” explains Greer. “Do you realize that if we had a 1 Gb link with 50 percent utilization, that translates to 3.75 gigabytes per minute of data? Therefore, if you just wanted to capture five minutes of traffic on a drive, that is 18 GB of data. Have you ever opened up an 18 GB trace file? You probably wouldn’t be able to do it. In fact, with a 1 GB trace file, just digging through that is a nightmare. It’s like the Matrix. Where do you start? So, long-term capture is what we need to do and laptops can’t keep up with the data stream.”
The ubiquitous use of Wireshark on a laptop translates to a high degree of packet loss which can significantly decrease the accuracy of any analytics run on that data.
“In a 1 Gb data stream, I had 82 percent packet loss,” Greer says. “One gig went out and I was only able to capture 18 percent of the packets. As I turned down the volume, I had to go down to about 50 Mb per second on my laptop to capture all the packets. Fifty megabits per second, are you kidding me? We should never be using a laptop in a data center to capture packets. We’re going to drop packets and that’s going to affect our analysis.”
The “nightmare” brought Greer back to thinking about more robust solutions for network monitoring and security forensics with packet analysis capabilities.
A Packet-Capturing Great White
“For me as an analyst I want to be able to do hardware-based capture and then monitor for an extended amount of time,” he says. “Once we have the packets we can open them. VIAVI Observer Analyzer is a great tool, but if you haven’t used it before, you can open up the capture in Wireshark as well. The filtering built into the GigaStor solution is more visual. It’s easy to build and easy to explain. With GigaStor, we can have several capture points. We can merge them. It allows us to time those systems.”
Having better tools leads to better communication between teams, which is an area of opportunity for almost any enterprise. Easy-to-read visuals can do wonders for helping decision makers understand problem areas, turning a network nightmare into a dream come true.
“What I like about the Observer Platform, is I can just do a screenshot and it’s easy for someone else to read, even a person that is not as comfortable with packets as I am,” says Greer. “That’s something that can help you with other teams and solutions. With delays for multiple connections you can feed a trace file to it and it will break out all these times for us. With the bad ones in red, it’s easier to pinpoint where the break is and explain it to somebody else.”
For the best Wireshark tips, tricks, and hacks from the Packet Pioneer Chris Greer, be sure to sign up for this year’s Wireshark Week network event starting November 6, 2017.