Wireshark question

--chris--

I have found ways to A) locate a bandwidth hog and see a breakdown of bandwidth usage by protocol but now i need to tie the two together with some correlation and find the host that is eating up bandwidth with UDP.

Anyone know how to achieve this?

Ryuksapple84

Have you looked into videos for wireshark? they are out there. Good luck!

I would also like to see the answer to this.

--chris--

Since I am pretty new to WS, I didn't immediately realize that you can see the source & destination address in the capture...duh! However, I would like to tie the nice graph of protocol/bandwidth utilization and make a graph that display host to protocol to bandwidth utilization. It would make presenting this info to a client much easier (or to a manager, etc...).

Heero

Just FYI, in a typical network you would be doing this with netflow. Netflow fits your use-case perfectly without actually having to capture/store all wire data. As for how to do this in wireshark, I don't think I know more than you about this specific use case.

--chris--

Heero wrote: »

Just FYI, in a typical network you would be doing this with netflow. Netflow fits your use-case perfectly without actually having to capture/store all wire data. As for how to do this in wireshark, I don't think I know more than you about this specific use case.

Wow didn't even know that existed. Thanks for the post.

jvrlopez

Statistics > Summary
Statistics > Conversations > UDP tab

You can then probably hand jam them into a spreadsheet or chart after. Not sure if you can output via WS automatically.

Trashman

--chris-- wrote: »

Wow didn't even know that existed. Thanks for the post.

Netflow with PRTG Network Monitor if you want to make pretty reports for the boss.

--chris--

Trashman wrote: »

Netflow with PRTG Network Monitor if you want to make pretty reports for the boss.

Thanks for this...this looks awesome, but out of my budget The free trial could be handy though...depending on its limitations.

@JVR, I am still looking for a free program that meshes with wireshark to pull reports. If I find something I will post it here.

--chris--

Has anyone witnessed a broadcast storm in WS? I am working on a network issue that comes and goes.

Here is the environment:

1 server
12 workstations
4(!) switches
A comcast modem bridged to a Dlink router (the dlink provides Nat'ing)

On this little network I see ARP requests for repeat destinations multiple times in a 30 second span. Almost every device ARPs out to another device at least once, some multiple times in this short period. For a rough idea, I captured 5600 packets...of those 200 are arp requests. 200 arp requests for 12 devices in 30 seconds?

Is this normal behavior? I have the capture if someone would like to see it.

--chris--

I compared what I seen on that network to what I see on a known good network and that does seem like normal behavior.

apr911

Hi Chris,

As you've noted, 200 packets out of 5600 does sound pretty normal.

I know it seems like a lot of traffic but really it depends on how often these devices need to talk to each other and how often they actually are talking to each other... As that impacts their ARP cache.

That being said how are you doing your network capture? Based on the size and description of your network, it sounds like you are using consumer-grade gear... When using consumer grade gear you need to watch as consumer "switches" are more often than not actually hubs. Given the small number of hosts the devices are intended for, most consumers dont notice the difference but when you start daisy-chaining these devices together, you begin to see a significant amplification in the amount of traffic going through the devices.

If it's all 100Mbit, you might want to pick up a Cisco 2950 off ebay. They usually run between $50-100 and they give you true switching and the ability to do port mirroring. Additionally, as a fully managed switch, you can do SNMP polling of each port and import that data into MRTG (which is free) which will give you graphs on a per-port basis. Obviously if a device is running multiple IPs, this wont quite give you the answer you are looking for directly like net-flow would but once you have it narrowed down to a specific pair of hosts, you can start capturing on them directly or mirroring their port at which point it should be pretty clear what's generating the traffic.

As witnessing a broadcast storm via wireshark? Ive seen it and all I can really say is you'll know it when you see it... Of course that assumes you have some idea of what normal traffic looks like... If you dont then let me put it this way... Again depending on the size of your network but with a network of your size even you could very easily see 1000's of broadcasts in just a few seconds. Most broadcast storms are likely to impact hosts in your environment.