As the year winds down this snowy December day at a balmy 18 degrees (I’m writing this from an undisclosed cabin “up north” in Minnesota), my mind is far from the cardinals, nuthatches, and woodpeckers just outside my window. In fact, I’m thinking about sharks.
For me, no one analysis tool fits all. I typically use a wide set of tools: OS command line utilities, open source projects, commercial data mining and analysis products, resource monitoring utilities, and applications like Excel. Being resourceful and combining tools is the key to quick and effective enterprise infrastructure analysis.
I prefer the term infrastructure analysis because it avoids saying, “Is it the network or server?” When it comes to troubleshooting a problem, I look at everything starting from the way devices talk to each other (device and even user behavioral analysis based on protocol analysis) and digging in or drilling down from there. Sometimes I get lucky and find a simple physical connection duplex mismatch causing CRC errors leading to TCP retransmissions. Other times it gets far more complex, like when I get into n-tier analysis with a multitude of devices, protocols, server types, and applications. But I digress.
Regarding the shark, as you probably guessed I’m referring to Wireshark (formerly Ethereal), updated this month to version 99.7. I would not recommend depending solely on Wireshark unless you have time to burn doing stuff manually that could be done much faster using other tools. For that matter, some data you just can’t get with any protocol analyzer.
But the shark is in my tank for good reason. I suppose one reason is that it’s free. But time is money and free tools can actually be more expensive compared to shelling out a few (thousands) dollars for commercial offerings if the commercial products save you valuable time. But the shark is quite good for certain tasks.
One of the more obvious reasons to use Wireshark is for its breadth and depth of decodes. Believe it or not, some analyzers actually have deeper decodes for a few protocols, but none have the breadth. For example, in a recent analysis of a large enterprise, I needed decodes for Distributed Relational Database Architecture (DRDA), a standard driven by the Open Group and IBM for accessing distributed data based on SQL. While the SQL statements could be read as plain text in the TCP payload, it helped to know in what context these commands were being used. A couple of other unnamed commercial analyzers that I had access to did not decode it. The shark to the rescue.
A not-so-obvious use for Wireshark is packet conversion—read in one format and write to another. Observer native format to OmniPeek native format? No problem. Most analyzers support the simple Sniffer .enc format as well as their proprietary format. The problem is that some do not do a good job of converting to .enc, resulting in packets that are flagged as “sliced” but really aren’t or have the occasional timestamp conversion problem. Wireshark seems to do a pretty decent conversion to .enc, at least a lot better than one unnamed commercial offering.
The shark is also portable. I’m not so much referring to its multi-OS portability as I am to its USB flash drive portability. I can run a version of Wireshark right off a U3-compatible USB flash drive without having to install it on the host system. A shark in your pocket. How cool is that?
There are numerous other tricks for the shark that can complement your analysis including some cool command line stuff. You can learn from the experts that live and breathe the shark at the forthcoming Sharkfest that promises to be more exciting than, well, the original Jaws classic. The event is March 31st – April 2nd in Los Altos Hills, CA (near Sunnyvale).
I can envision the feeding frenzy if the highly energetic Laura Chappell shows up dressed in a shark outfit with a big TCP FIN on her back. Ouch.