Networking

Wireshark makes locating bandwidth issues easy

When a small business experiences network bottlenecks, the best troubleshooting tool for the job is Wireshark, according to Jack Wallen.

If you manage a network, you will be asked one of the most frustrating IT questions of all time: "Why is our network slow?" Sometimes this question is easily answered by calling your provider and hoping the issue is on their end. If it's not, then your job just became infinitely more challenging. There are a number of tools that will help you find out what is causing the network bottlenecks and where the problem originates, but I think the most cost-effective option for small businesses is Wireshark.

Wireshark comes with a slew of features, and one of the handiest ones is the ability to quickly create filters in real-time as it scans the network; this makes it incredibly easy to troubleshoot what is causing bandwidth problems on your network. Once you figure out what is causing the bottleneck, you can act upon it to resolve your issue.

I'll walk you through the process of installing Wireshark to using it for filtering. In the end, you should know how to troubleshoot what is happening with your network bandwidth.

Installing Wireshark

The Wireshark installation on Windows 7 requires the winpcap library; you won't need to install this separately, as the Wireshark installation wizard will take care of the task. To install on a Windows 7 machine, follow these steps:

  1. Download the installer associated with your platform and architecture.
  2. Double-click the downloaded file.
  3. Walk through the install wizard, paying close attention to make sure winpcap is installed and started at boot time.

You should be able to start Wireshark by going to Start | All Programs | Wireshark. When Wireshark first starts up, you will be greeted by the main window (Figure A). Figure A

Wireshark's clean interface has a lot to offer users. (Click the image to enlarge.)

To start a capture, follow these steps:

  1. Click Interface List.
  2. Select the interface to be used (Figure B).
  3. Click Start.

Figure B

I have one interface seeing packets already, so I'll select that one. (Click the image to enlarge.)
The capture will begin, and color-coded packets should start flying by (Figure C). If you want to save this capture for later viewing, follow these steps:

  1. Go to Capture | Stop.
  2. Go to File | Save.
  3. Give the capture a name.
  4. Click Save.

Figure C

The color-coding makes it easier to read the packets as they fly by. (Click the image to enlarge.)

Since we're troubleshooting, we want to work with live captures, so keep this baby running.

Filtering protocols

The easiest way to troubleshoot these types of problems is to filter the protocols. Wireshark makes this incredibly easy -- you don't even have to create filters, you simply view the protocol hierarchy and look for anything suspicious. Here's how:

  1. With the capture running, go to Statistics | Protocol Hierarchy.
  2. After the hierarchy builds, scan through the resulting window for anything suspect (Figure D).
  3. When you find something that seems untoward, right-click that entry and select Apply As Filter | Selected.

Wireshark will only display the packets it sees that apply to the newly created filter. You can clear that filter by clicking the Clear button. If that protocol isn't the issue, go back to the hierarchy and try again. Most likely, if you're having an Internet bottleneck due to an abundance of traffic, you will see it here.

Figure D

Scan through this entire hierarchy, paying close attention to P2P traffic and other protocols that are known to cause issues. (Click the image to enlarge.)

Once you locate the issue through Wireshark, you can act on the new information. This quick action should enable you with all of the power you need to troubleshoot your networking issues.

More about Wireshark on TechRepublic

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

4 comments
davidwgilmore
davidwgilmore

Nice article, Jack. This may go without saying, but it may be worth mentioning that it matters how the machine running Wireshark is connected to the network as to how much traffic you will see. If you install Wireshark in a normal switched network and fire it up, you will see that machine's traffic and any broadcast traffic, but not traffic from any other workstation to the internet. For that, you would either need to run Wireshark from the suspect computer, or configure a mirror/span port on the switch and plug the PC running Wireshark into that. Sorry if I'm stating the obvious, but I know as a young admin coming up it took me some head banging to figure this one out on my own

Craig_B
Craig_B

I highly recommend if possible do a baseline scan of the network when everything is running properly. This will help you get a feel for what normal condtions look like and you can compare traces to see what may be new or different. If you are new to Wireshark you should check out http://www.wireshark.org/docs/ which has some good information and helpful videos.

Matthew G. Davidson
Matthew G. Davidson

You can also achieve the desired result by using a HUB. What goes in one port goes out to all ports.