Wireshark Screenshot

Wireshark is the go-to IT industry standard tool for packet-level analysis of network and application protocols – but because it’s primary purpose is to analyze ‘network packets’ it is usually thought of as just a tool for the network teams.

Nothing could be further from the truth.

The need for packet analysis skills extends well beyond just the domain of network professionals; it is useful – actually, essential – for providing indisputable technical validation and troubleshooting tough technical issues across all areas of the IT industry. Wireshark proficiency is a skill that aspiring persons in all technical fields can and should add to their professional tool kit and bag of tricks – I’ll show you why, and how.

One of my clients stated the need for Wireshark skills in his IT teams this way:

“Many times our network engineers are the go to guys for capturing packets and analyzing them. We want to expand this skill set to other administrators as well as improve the skill for those that know WireShark today. So when we get a call from the application support teams that their application is slow, we have a good amount of technical resources that will be able to diagnose the issue beyond the infrastructure analysis that we do today. Most of the times the admins say the infrastructure is good and then throw their hands up and say it must be the network or the application. The onus is then on network to troubleshoot only to find that it is an application or database issue.”

Application Developers need Wireshark skills

Application developers can use Wireshark to view and understand how the routines in their code that make network calls translate into request / response packets, inspect how the application-related data fields within those packets are structured, and verify that these calls are efficient and work the way they anticipated and intended.

One of the leading causes of poor application performance in a network environment is high Application Turn counts – known in slang terms as an application being ‘chatty’. An application that inflicts a high app turns count on a transaction – requiring numerous request / response cycles to complete a task – will expose the end user to poor response times over higher latency network paths as the time spent waiting for these requests and responses to traverse back and forth across the network adds up – which it can do quickly. The resultant long wait times inevitably get blamed on the network; the network support teams assert the network is working just fine, and the application teams point out that the application works fine until the network gets involved. And on it goes. Here’s the truth:

100 App Turns X 50 ms RTT network latency = 5 additional seconds of wait (response) time – on top of processing and other network transport delays. This is 5 seconds of totally wasted time.

Application developers can use Wireshark to measure app turns counts for various transactions at key points in the development cycle to ensure the application is as network efficient as possible, as well as making sure network calls are working as expected – and it’s much easier and cheaper to address these issues during development than after deployment. I spent some time working in a performance test lab at IBM some years ago; the developers and I used Wireshark on an almost daily basis to verify code functionality and performance – this helped us make sure that network calls were working as expected, and saved us a lot of time by providing visibility you just can’t get from looking through debug log files.

Database Designers and Administrators need Wireshark skills

Database designers and administrators can use Wireshark to examine queries and responses carried inside of packets – are they efficient? Are there a lot of small request/response cycles involved in a transactional query that could be replaced by fewer, more efficient requests and responses? Database interactions characteristically involve a higher number of relatively small packets – but if database index and query design isn’t carefully crafted the number of packets invoked to complete a simple transaction can get out of hand quickly – with detrimental results on application performance.

Server teams can identify and measure server processing times with Wireshark

Server processing times can be a huge factor and point of contention in performance related issues across almost all IT arenas. It is relatively easy to identify and measure server processing times at the packet level – as well as see the exact request that resulted in the long processing time. This is an ability that application, server, and network support teams should all possess.

IT Security professionals need Wireshark skills

IT Security professionals inherently utilize packet-level parameters to configure firewalls, intrusion detection and prevention devices – but may lack the skills to confidently establish and verify these factors themselves, instead relying upon others for this critical input. The ability of a security professional to inspect captures to identify, characterize, and build safeguards against malicious traffic is assumed – and an investment in developing Wireshark skills to masterfully accomplish these responsibilities is absolutely essential.

Network Engineers need Wireshark skills – of course

Network engineers and administrators get called upon to troubleshoot strange connectivity and ‘slow network’ issues on almost a daily basis. These teams need the visibility and evidence that packet-level analysis can provide to not only defend their domain but to assist in identifying and resolving the real problem – as that’s usually the only way the heat gets permanently turned off. Good Wireshark skills are a must-have for these folks.

Packet-level analysis is not that difficult

Looking at a Wireshark screen full of packets of seemingly endless varieties and sources can be a little intimidating, but it’s usually quite easy to isolate just the packets of interest and filter everything else out, get a quick high-level overview of the packet flows and sequence of events, and then find and inspect the correct packets and data fields that answer the question at hand.

But you have to get the right training

You just can’t become proficient with Wireshark with casual use or watching a few videos or webinars – these are great for picking up useful tips, but to truly master Wireshark you need structured, hands-on training that covers all of Wireshark’s features and functionality, followed by task- and protocol-specific training that fills any gaps between concept and practice.

And trying to learn Wireshark basics while you’re also trying to troubleshoot a problem is a recipe for frustration and defeat, not to mention the possibility of a misleading (wrong) synopsis, wasted time, and loss of credibility.

If you’ve been wanting and needing to add Wireshark skills to your technical tool kit and increase your value as an IT professional, you can sign up for my 3-day Essential Wireshark training class. You’ll get structured, hands-on training with real-world packet trace files – on site, so you don’t have to go anywhere. And Wireshark Quick Reference Guides that helps you quickly recall and apply all the really useful Wireshark features and techniques you learned in the training to your every day activities – the gift that keeps on giving – as well as a set of Wireshark Profiles that make troubleshooting and performance analysis much quicker and easier. You can even bring in a capture or two of some current issues you’re addressing – we’ll analyze and resolve them with the class.

And because I’ve been at this a while, I can show you a lot of cool analysis techniques.

For example, as I said before you can use Wireshark to identify and count app turns in a transaction – but setting up Wireshark to do so isn’t intuitive, and you won’t find this pre-canned in any of the Wireshark graphs or analysis screens – nor will you find it discussed in any of the Wireshark books (that I’ve seen so far) – but I show you how in Wireshark 201 training, which has a focus on performance analysis. Server processing times, latency and throughput measurements – it’s all there.

Wireshark 301 covers all of the important network and application protocols, including their IPv6 implementations, so you can analyze and troubleshoot – because you understand – everything from the basic to the really complex stuff like database queries, VoIP calls, and and the things going on in HTTP packets these days.

So gather your IT teams together and let’s do some Wireshark training!

A final point – you don’t have to learn all there is to know about networking and protocols to use Wireshark – to great benefit – in your particular area of responsibility. Networks move packets from point A to B, there’s Ethernet frames, an IP layer, TCP or UDP layer, and a protocol or two that pertains to your area of interest. It’s usually the data fields in that last protocol or two that you’re most interested in – you can focus on that.

Here’s the PacketIQ Advanced Wireshark Training link:


Be sure to download the brochure – it outlines all the topics covered in the three classes, and you can submit it with your training request.

And as an example of the topics covered in the first class – Wireshark 101: Features & Functions – you can download a free copy of the Wireshark Quick Reference Guide provided with this class to aid in retention and later usage:


See you in class!

James H. Baxter
PacketIQ Inc.
JamesHBaxter_PacketIQ_Inc_ 9-2010_272x321

(Visited 534 times, 1 visits today)