Sniffing Your Windows Server Network

WireShark can be a handy tool, if you're allowed to use it

In my Server 2008 class this week, a student ran into a situation where rebooting a domain controller seemed to take forever. (Sound familiar?) In a domain consisting of three, count ‘em three, computers, it seemed ridiculous that the domain controller should require nearly 15 minutes to “prepare network connections.” I was very curious to know what the heck was going on under the hood. Sometimes, when you’re trying to troubleshoot a network issue like this, the event logs can tell the story; but other times, they just don’t take you far enough to understand what’s really happening under the hood. Also, in non-troubleshooting situations, you may occasionally be curious about the actual commands being sent back and forth across the wire during a specific operation. Or you may wonder which systems are participating in a specific network “conversation.” In cases such as these, you might be interested in a free, multiplatform, multiprotocol “sniffer” named WireShark. (You may know it from its previous life when it was called “Ethereal.”) This is a tool that can capture network packets for analysis. But before you read any further, I should make a Public Service Announcement: Some organizations will fire you immediately for using this tool, because it can pull sensitive information like passwords off the traffic stream. In some of my blog postings over the next couple of months, I’ll clue you in on some of WireShark’s features and capabilities. For now, I’ll just mention that it works with pretty much any version of Windows: I’ve run it on XP, Server 2008, Vista SP1, and even Windows 7. And it’s a piece of cake to install. So for now, let me suggest that you find out if using this tool will get you in trouble at work. (Even if it does, maybe you can install it on a home network, assuming you don’t use your home network to connect to your workplace.) In a day or two, we’ll start discussing how you can start using WireShark to learn more about the “raw data” (as Anderson Cooper might say) flying around between those network interfaces.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.