Cisco Subnet An independent Cisco community View more

Wireshark Certified Network Analyst: Taking my Wireshark Knowledge to the 'Next Level'

Wireshark is hands down, bar-none, my absolute favorite tool for network "forensics," troubleshooting, and learning. I used to think I was fairly good at it. But WOW was I living on the "tip of the iceberg!"

It all started a little over two years ago. I was doing my usual "Cisco Lab Rat" type job and had some customers in the room. There was a concept I was trying to explain so I did a quick sniffer capture and then used Wireshark to help me show what was actually happening "on the wire" between the two routers. Armed with my sniffer trace and the concept that "a picture is worth a thousand words," I called them over.

I showed them a capture similar to the one above. Then I scolled down manually, packet by packet, pointing out in the packet detail section the frame size and the 2 MPLS labels. "Ma'am," I heard in a soft respectful voice, "I can make all those as columns if it would help." So I stepped aside.

Voila!

At the end of the day we had time for him to give me a "drinking from the firehouse," five-minute show and tell of all the things he thought would be useful in my job. Fluent and experienced. This customer was like a pianist on a keyboard, moving through the Wireshark GUI and trying to pack as much into 5 minutes as he possibly could. Looking back now, I wish I had recorded that session. I had no idea how much I was underutilizing Wireshark. And, in 5 minutes, I had no way of keeping up.  

After the customer left that day I told myself I would spend time "going to the next level" with Wireshark. Why? Because I really wanted to have that knowledge. Why? Because while the only thing constant in IT seems to be change, sniffers have been there with me at every turn. From the early 90s when I used a W&G sniffer to troubleshoot SNA, through my days with RSRB, DLSw and STUN, through my days of routing and switching, to today.

Time Passes

So I went out and bought a book, confident I would make time in my personal life to "go to the next level" with Wireshark. Time passed and the book sat there. More time and still more time passed.

Wireshark Certified Network Analyst

About three months ago I saw my hope for finally really and truly making the time investment. There is a Wireshark certification - The Wireshark Certified Network Analyst. I knew myself well enough to know that if I signed up for the exam I would make the time in my personal life to study for it. And then, finally, gain the knowledge I've wanted for over two years now.

Two of my favorite items thus far are:

  • pre-defined columns
  • custom columns

**To be fair I have to point out that I already knew about marking packets, display filters, following a conversation, etc. So my current "favorite items" are really just the things that are new to me.

Pre-Defined Columns

Wireshark has a bunch of pre-defined columns one can choose from. Go to Edit | Preferences | User Interfaces and then choose Columns. Go down to Properties at the bottom and click "+Add." All the pre-defined columns show up. Play with it. It's great!

Custom Columns

I find custom columns just about the neatest thing! Perfect for MPLS labels! Perfect for packets with multiple IP addresses like GRE!

So let's go back to that trace from above. The one where I was showing the 2 MPLS labels to the customer. If you want, you can do it with me. Go here and download "mpls-twolevel.cap." Now, go to packet #17.

Expand the first MPLS Header and click on the actual MPLS Label. Right click and select "Apply as a Column."

And, Voila! 

Hmmm, actually that doesn't quite look like what I had does it?  Both labels are in the same column.  Why is that?  I only actually selected the first MPLS header.

If we go to the Columns preferences section again and look at the column "rule" we will see in the bottom right hand corner a "0." The default is "0" or "all." Which means we will put in that column all the matching instances of that occurence. Which, honestly, isn't that bad since I already know MPLS. 

But for someone new to it I might want to break them out into two different columns and name them differently, like below.

To do that I would have to create two custom columns. One custom column that matches on the first incidence ("1" instead of "0") and another custom column that matches on the second instance ("2" instead of "0"). Like below:

In Summary

After living at the "tip of the iceberg" for years, I've been having a blast with my new found knowledge.  

Oh, and wish me luck.  My exam is next week, Monday, December 3rd.  

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies