How to capture and analyze network traffic using either Wireshark (it has a GUI), or tshark (command line only), and/or using tshark on a remote host to dump stuff you can analyze on your laptop running Wireshark.
apt-get install tshark
Usually you use tshark to get a bunch of packets of a certain type and then write them to a file, because there’s a whole ton of results usually returned and it will just blur by on the screen, and usually that helps you find the culprit packets easier. To do this, you use a thing called a filter with the command, and then direct the output to a file like:
tshark -f "ip.addr == 10.0.0.12" -i eth0 -w /some/path/afileyoulldissectlater.cap
this means look for traffic either go to or from 10.0.0.12 across eth0 and write it to /some/path/afileyoulldissectlater.cap.
The magic is really in the filters, so you have to find a few filters you’ll most commonly use (of course, google is your friend here) like:
|filter||what it does|
|tcp.analysis.retransmission||looks for stuff that’s slowing down the network|
Use Wireshark to get traffic from a remote server
If your laptop is Linux running Wireshark, you probably want to view traffic on some servers somewhere, which you can do over a ssh tunnel. On your SERVER you have to set up a promiscuous interface, in this case I’m setting up eth1 to listen to traffic, and eth0 as your main interface. Do something like:
ifconfig eth1 promisc up vi /etc/network/interfaces/ (add these next lines to the end of the file) auto eth1 iface eth1 inet manual up ifconfig eth1 promisc up down ifconfig eth1 promisc down
Now it will stay configured after you reboot (which you don’t need to do now). Now do:
apt-get install tcpdump vi /etc/ssh/sshd_config PermitRootLogin yes AllowUsers normaluser otheruser firstname.lastname@example.org (or you can do sudo if you want) /etc/init.d/ssh reload
MAKE SURE YOU CAN STILL login remotely before disconnecting, or you’ll be locked out.
Now go to your LAPTOP (Debian Jessie running KDE here, but others should work) and set up automatic root login to your SERVER like:
ssh-keygen -t dsa -f ~/.ssh/id_dsa -C "yourusername@laptop's_IP_or_hostname.com" cat ~/.ssh/id_dsa.pub | ssh email@example.com 'cat - >> ~/.ssh/authorized_keys' ssh-add ssh firstname.lastname@example.org
It *shouldn’t* ask you for a login, if it does, stop and fix that or the rest won’t work right.
Now set up your pipe to your server/fifo by doing this on your LAPTOP:
su chgrp whatevernormaluseris /usr/bin/dumpcap mkdir /tmp/pipes mkfifo /tmp/pipes/cap_fw ssh email@example.com "tcpdump -s 0 -U -n -w - -i eth1 not port 22" > /tmp/pipes/cap_fw
Now open up another terminal on your LAPTOP as your normal user and run wireshark to get data from your new tunnel like:
wireshark -k -i /tmp/pipes/cap_fw
That should open up Wireshark on your desktop and start receiving a ton of packets from your server, which should start scrolling past on your screen.
If you get an error like:
end of magic pipe
It means your ssh connection to the remote server didn’t work, so fix that and try again.
finding problems with Wireshark
To show only the duplicate ACKs use the filter
To sort by the host sending the mot of them I’d select Satistics > conversations > IPv4 from the menu bar, and check the “limit to display filter” box in the bottom left. You can then chose to sort by either the number of bytes or the number of packets for each pair of communicating hosts to determine who your “noisiest” hosts are. Do this by clicking the column heading.
It is helpful to select Follow Conversation to re-assemble a session you’re seeing one packet of.