Site announcements from the admin and moderators.
User avatar
Steve
Site Admin
Posts:
10617
Joined:
Mon Dec 06, 2004 6:46 pm
Certs:
CCNA

Wireshark Book Contest

Mon May 03, 2010 7:03 pm

Many of you are aware of the new book, "Wireshark Network Analysis" by Laura Chappell and the thread here discussing it. It seemed to be pretty popular with the site's members and the author joined the discussion, so I asked her if she'd like to contribute a few copies as part of a giveaway on the site. She has graciously agreed to give away 3 copies, signed by Laura and Wireshark creator, Gerald Combs, no less.

What are you giving away?

3 signed copies of the new "Wireshark Network Analysis" book (ISBN 978-1-893939-99-8).

http://www.wiresharkbook.com/

Wireshark is undeniably the world's most popular network analyzer with over 500,000 downloads per month.

Wireshark Network Analysis is the result of over 20 years of packet-level analysis and troubleshooting. At 800-pages, Wireshark Network Analysis is the ultimate reference guide focusing on Wireshark functionality as well as TCP/IP traffic interpretation.

  • Learn the most efficient methods for capturing wired and wireless traffic
  • Identify the cause of poor performance and stop the finger pointing
  • Use Wireshark charts and graphs to "draw a picture" of network behavior
  • Customize Wireshark for more efficient troubleshooting and security analysis
  • Build advanced filters to identify unusual traffic patterns caused by poorly performing network devices and applications, network scans and breached hosts


Image

..and a few swag items.

How do I get me hands on one?

This one is easy, create a post on this thread before 12:00PM CST on 5/6/2010. Be sure to include a write up describing a time you have used Wireshark to solve an issue on your network, be as specific and detailed as you can without divulging network/corporate secrets. The best write up gets a copy of the book and a choice of items from the networking-forum.com swag store.

From the rest of the entries, with write ups or without, two people will be randomly* selected as winners of the book and a sticker from the above mentioned swag store.

What else should I know?

  • Nothing in life is guaranteed.
  • Please don't hold Steve liable for getting your feelings hurt, I do this for the benefit of the members.
  • The admin and mods will decide the winners. Their decision is final.
  • The contest and or rules can change at any time.
  • One entry per person, not account.
  • The Wireshark write ups must be original and truthful. This will be up to the judges' discretion.
  • Winners will be notified via this thread and will have 3 days to respond with their full name, shipping address, and contact phone number. If they don't reply, or an email gets lost, or whatever other unforeseeable thing happens, another winner will be selected and all prizes will be forfeited.

*Is there really such a thing as 'random'? I'm not sure but we'll do our best.

Retired Account
Post Whore
Posts:
3512
Joined:
Mon Nov 16, 2009 8:10 pm

Re: Wireshark Book Contest

Mon May 03, 2010 7:07 pm

Awesome! I've been learning alot about how to use Wireshark recently to troubleshoot Websense web filtering... I'll try to come up with something :)

Retired Account
Post Whore
Posts:
3512
Joined:
Mon Nov 16, 2009 8:10 pm

Re: Wireshark Book Contest

Mon May 03, 2010 7:08 pm

Agh it's already the third!

User avatar
sgtcasey
Post Whore
Posts:
1147
Joined:
Wed Jul 12, 2006 3:36 pm
Certs:
CCNP

Re: Wireshark Book Contest

Mon May 03, 2010 7:49 pm

Very nice! I received the notification of this contest via LinkedIn.

I have a couple good examples of when I've used Wireshark to resolve an issue on my network and they're both good but since the rules called for only one I'll just pick one. :)

About a year or so ago while I was working as a contractor for a major computer processor manufacturing company one of the factory managers contacted me about an issue they were having with a specific tool in the factory. The details at first were sketchy but I did what I always did and started with the basics.

The problem was that each morning around 3:00am this specific tool and only this specific tool would seemingly lose its network connection. It was become very sluggish/slow in passing data and finally just stop entirely with the applications throwing out all kinds of "lost connection" errors.

After tracing out the device to determine the switch port they were connected to I discovered that every morning right around 3:00am there were a lot of out-discards from a few switch ports (which all happened to share the same VLAN) including the port to the tool in question. Not finding any other issues on the switch port or the network in general I decided to see what was going on the wire at 3:00am that might cause this issue. (I suspected it was something with the specific configuration of the tool...)

So one early morning I headed into work and got my work-issued laptop all set up and Wireshark running sniffing the VLAN on that specific switch. I then sat back and just watched as the packets scrolled by. Sure enough, at 2:50am my laptop went absolutely crazy. The amount of traffic coming into Wireshark from the span port was *insane*. I had to pull the network cable from my laptop and even then it took a few minutes for the data which Wireshark had sniffed to save to the hard drive (my work latpop was pretty low-end).

I saved the data I'd sniffed and headed up to my desk. After a few minutes of poking around I discovered what I felt to be the root cause. At 2:50am a production tool on the network (and the same VLAN as the tool having issues) began a *huge* file transfer. I emailed the findings to my customer and they right away figured out the problem.

This huge file transfer was a hard drive image being mirrored as part of a nightly backup. The script controlling the backup was broken and instead of deleting each days backup file it added a new one to the batch each day. So after a week they were mirroring just a ton of data across that VLAN.

They stopped the backup script the next morning and not a single problem. They fixed the script and allowed it to run the next morning and no issues.

That's it! I was quite satisfied that I was able to figure out the cause of the problem and help my customers fix their issues.

Dave
Taking the sh out of IT since 2005!

User avatar
inzeos
Post Whore
Posts:
1858
Joined:
Mon Jun 11, 2007 9:43 am

Re: Wireshark Book Contest

Mon May 03, 2010 8:02 pm

Sounds like a good contest! I'll pass this time as I currently already have a copy to read!

User avatar
Lightworker
Ultimate Member
Posts:
650
Joined:
Tue Aug 11, 2009 7:43 pm
Certs:
CCNA, CCNA:V, CCDA, IPCXS

Re: Wireshark Book Contest

Mon May 03, 2010 8:09 pm

I want this book.

User avatar
sgtcasey
Post Whore
Posts:
1147
Joined:
Wed Jul 12, 2006 3:36 pm
Certs:
CCNP

Re: Wireshark Book Contest

Mon May 03, 2010 8:18 pm

Lightworker wrote:I want this book.


Me too. I've always found packets interesting to look through. Sometimes I'll run Wireshark on the home PC while I'm doing something or other just so I can see what it looks like on the wire. :)

Dave
Taking the sh out of IT since 2005!

Yozh
New Member
Posts:
1
Joined:
Mon May 03, 2010 8:13 pm
Certs:
Ccnp ccdp ccsp jncia jncis

Re: Wireshark Book Contest

Mon May 03, 2010 8:20 pm

When I started my new job, first issue that came in was very strange. User complaining that a specific application is slow, while other email, internet and others are working fine. After much checking of interfaces, arp entries and mac addresses we ran wireshark on the VLAN. What we found (which desktop people didnt) lots and lots of IPX chatter on VLAN apperently while we removed IPX routing from routers and layer 3 switches, some workstations still had it installed and while this application was originaly made for Netware it tried to talk on the IPX stack first, after timing out it would use IP stack. If it wasnt for wireshark we would still be waiting for desktop personal to figure this out !!!

flylikeaneagle
New Member
Posts:
3
Joined:
Thu Jul 16, 2009 5:15 am

Re: Wireshark Book Contest

Mon May 03, 2010 8:32 pm

I don't have any great stories on how it helped solve a problem, but it has been great to gain a better understanding of networking viewing capture packets.
I sure would like to get a free copy...

ashwat
New Member
Posts:
1
Joined:
Mon May 03, 2010 8:50 pm

Re: Wireshark Book Contest

Mon May 03, 2010 8:52 pm

Noob trying to get a headstart :) A free copy will definitely help :)

User avatar
swagger
Post Whore
Posts:
1395
Joined:
Mon Nov 23, 2009 7:55 pm
Certs:
CCNP, CCNA Sec

Re: Wireshark Book Contest

Mon May 03, 2010 8:55 pm

I, like many others who have posted already don't have a ton of networking experience, especially not with Wireshark. However, I have used it here and there at home to view packets to help better understand the flow of data and the OSI model itself as I continue to progress in my studies. There was ONE situation at my last job where I recommended and actually led in the use of Wireshark:

This had to be around December 09 and my manager and co-worker were working with our new Symantec Enterprise server for anti-virus, trying to figure out what ports it communicated on because they could not distribute the client to most of the systems in our network. On most machines, Windows firewall was turned on, but there didn't seem to be anything specifically blocked in the configuration. So I recommended Wireshark (portable in fact because I keep it on my USB drive). I ran it on a computer with the firewall turned off and distributed the anti-virus package from the server down to the desktop and figured out that it was the same ports that File and Print sharing used (TCP 445, UDP 137, and UDP 138) so all we had to do was write a registry fix to allow File and Print sharing from any subnet in the LAN in Windows firewall and send it to all the computers via Zenworks. Problem solved and I was a hero :)

I hope I win but I will congratulate anyone in advance who does win if I don't :) Good luck to everyone

Regards,
Keith

User avatar
rtstarliper
New Member
Posts:
48
Joined:
Wed Jun 17, 2009 10:22 pm
Certs:
CCNA

Re: Wireshark Book Contest

Mon May 03, 2010 8:59 pm

Does it count if my anecdote is in the book already? :P

The boss got a copy for submitting a writeup as one of the case studies, I want one for myself :)

We had a remote user that periodically was unable to connect remotely to our network. After some basic troubleshooting, it appeared that his ISP was blocking some ports. We checked with the ISP and were told that they were not blocking ports. Wireshark was installed on his machine and packet captures sent to our team for analysis. When we looked at the captures, it seemed the client used the same sequence of source ports each time it started and tried to establish the connection. One of those ports repeatedly failed. We went back to the ISP with this information and were told that yes, they were indeed blocking that port. Once they opened the port, our remote employee was able to connect.
Do not meddle in the affairs of dragons, for you are crunchy and taste good with ketchup.

User avatar
swagger
Post Whore
Posts:
1395
Joined:
Mon Nov 23, 2009 7:55 pm
Certs:
CCNP, CCNA Sec

Re: Wireshark Book Contest

Mon May 03, 2010 9:04 pm

@sgtcasey,

That's great. You really saved the day on that one... You would think the server admins or the backup guy there would point towards the back-up job with it being so close to the time for normal back-ups. Anyway, good job!

@rtstarliper,

Have never actually had to deal with an ISP before but I've heard horror stories about their incompetency and lies. I'm glad you guys brought them proof so they couldn't do anything but fess up.

Regards,
Keith

User avatar
rtstarliper
New Member
Posts:
48
Joined:
Wed Jun 17, 2009 10:22 pm
Certs:
CCNA

Re: Wireshark Book Contest

Mon May 03, 2010 9:11 pm

THis wasn't even a big ISP - just a little operation, if I recall correctly it was run by the local town. So not only was it an ISP, it was run by a local government. Can you say 'double whammy'? Sure. I knew you could :)
Do not meddle in the affairs of dragons, for you are crunchy and taste good with ketchup.

amike25
Junior Member
Posts:
50
Joined:
Sat Mar 06, 2010 5:09 am
Certs:
CCNP, CCDP, CCVP

Re: Wireshark Book Contest

Mon May 03, 2010 9:19 pm

We actually used Wireshark in the past 3-4 weeks to get rid of an issue that was causing a lot of managers to get very angry at us. We have a very large network, over 200 site all over the country, good monitoring tools (Solarwinds Orion, CiscoWorks etc.). We deployed VoIP at a remote site with about 30 IP Phones and everything was nice and dandy for about 2 years until 2 month ago when suddenly the voice began to get choppy, calls would get dropped and so on. We checked all the monitoring tools and everything seemed to be ok however the calls would still drop. After 3 very angry calls from a local director at the site we decided to use a snifer with wireshark and try to see what might cause this and it runs out a newly installed server was misconfigured and was flooding the local LAN and using up to 80% of the WAN link for 10-20 seconds at times with...... IPV6 traffic! The problem was none of our monitoring tools was configured for IPv6 and that's why we weren't able to see anything but with wireshark everything became clear in a few hours.

I'm glad to announe we haven't received any angry calls from that director since :).

User avatar
Project2501
Post Whore
Posts:
6158
Joined:
Thu Apr 17, 2008 6:44 pm
Certs:
CCNA

Re: Wireshark Book Contest

Mon May 03, 2010 10:00 pm

Good luck everyone :D

User avatar
swagger
Post Whore
Posts:
1395
Joined:
Mon Nov 23, 2009 7:55 pm
Certs:
CCNP, CCNA Sec

Re: Wireshark Book Contest

Mon May 03, 2010 10:09 pm

Thanks project... Feels like I got a lottery ticket in my hand or something!

Daryl Atkinson
New Member
Posts:
1
Joined:
Mon May 03, 2010 9:59 pm
Certs:
CCNP, CCDP, CCVP

Re: Wireshark Book Contest

Mon May 03, 2010 10:16 pm

Recently I received a call from a customer stating that their VoIP handsets were not registering with the call agent. After arriving onsite and talking with the customer, I established that the customer handsets were using Session Initiation Protocol (SIP) to associate with the call agent. As many of you are aware, SIP is easy to read using packet captures due to it's text based payload.

I setup two captures using Wireshark. The first capture was setup to capture the ingress vlan traffic from the vlan that the VoIP handsets resided upon. The 2nd capture was setup to capture the data on egress to the call agent across the core vlan.

Using the sequence number in the packets, I was able to compare the two captures (incoming and outgoing). The ingress SIP packets looked fine, with the proper commands intact within the SIP payload. However in comparing the ingress packet to the egress packet, I was able to see that the SIP payload was truncated when the packet was re-written on egress from the catalyst 6506 switch.

I opened a TAC case with Cisco, and based on the above information and about 5 hours of escalation, we were able to determine that the version of code on the 6506 had a bug that resulted in the Sup-32 PISA truncating the data payload of the packet on egress. The fix was to upgrade the code on the 6506.

This is a simple example. However many of us use Wireshark in our daily jobs and it is certainly a valuable tool in our tool kits.

Grats on the new book, I look forward to reading it =)

bikerpoet
New Member
Posts:
1
Joined:
Mon May 03, 2010 10:14 pm

Re: Wireshark Book Contest

Mon May 03, 2010 10:23 pm

I've attended some of the Wireshark webcasts and could really use the book to increase the depth of my understanding.

It would give me something good to read while I look for a job.

devvoid
Member
Posts:
158
Joined:
Wed Jan 13, 2010 1:18 pm
Certs:
CCNA, VCP4

Re: Wireshark Book Contest

Mon May 03, 2010 10:47 pm

Awesome idea and thanks to Laura for donating the books!

Count me in! My stories aren't so great, so hopefully my random luck will be better :) My most recent experience was Wireshark saving me with ip helper setup and DHCP packets not being sent across networks. I just wish I had fired it up sooner as it showed the lack of packets on the client interface rather quickly.

The more fun case recently was using Wireshark to prove that a customer's app was causing their BES to choke with the amount of packets it was trying to send. They kept blaming it on us, but a quick Wireshark trace proved they were sending way too much data and very inefficiently at that. Can't argue with a packet trace :)

'
Next

Return to Announcements

Who is online

Users browsing this forum: No registered users and 8 guests