Packet Analysis - WireShark

Unanswered Question
Feb 16th, 2009

I'm aware that you can use wireshark to see all broadcast packets on a LAN or by mirroring ports to see all types of traffic for that port such as an uplink.

What sort of thing would you look for to indicate problems on a LAN with a sniffer.

For example (only familiar with wireshark sniffer) the network in mention has lots of broadcasts but how do I gage what is an acceptable ammount and what is too many.

I'm sure there are too many as the subnet is a large one with the servers not on a seperate vlan/subent.

Any help or tips on analysing LAN issues with wireshark and SPAN methods would be appreciated.

I'm new to this type of analysis with sniffing tools...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
jonathanaxford Mon, 02/16/2009 - 05:47

I generally only use Wireshark when troubleshooting issues, it is perfect for that.

If you are worried about the broadcast traffic, start by identifyig what is sending the broadcasts? It is difficult to tell what an acceptable amount of broadcast traffic would be without knowing the exact structure of the network and what applications and services it is supporting.

If you are concerned that links are being over utilised, it might be worth looking onto something like NetFlow to get an idea of exactly what is flowing through the network and how much of it.


ccannon88567 Mon, 02/16/2009 - 05:59

Thanks Johnathon,

Unfortunatley our network consists of just 3750's performing the routing functions and these don't support the netflow commands (well they let you enter them bizarly but they dont work as it's not supported in ASIC).

It's a very large broadcast domain network of and just to make things worse - somebody put all of the servers 50+ on the same subnet.

I am going to roll out PRTG to look at L2 util but will be using wireshark to get an idea of traffic trends and flow.

Thanks for the help, if anybody else has any recomendations please let me know!

hobbe Mon, 02/16/2009 - 06:12

you have a very large broadcast domain indeed.

I would recomend max ca 1000 units as a broadcast domain if you are using windows. or at all actually.

and even that can be quite chatty.

so cutting down the network broadcast zones in size would be a good advice to start with.

I do not think that I have ever seen such a big pupulated network anywhere.

so that is a true monster network.

remember the 3750s can be used as ip routers also.

hobbe Mon, 02/16/2009 - 06:01

simply put every network is uniqe

there is no network that is just the same as another.

what you will need to do a good job is atleast 2 portable computers with atleast 2 network interface cards each.

you also will need to have access to the switches to be able to put up monitoring ports. a monitoring port is a port that mirrors the traffic of one or several other ports so that you can se all traffic not just brouadcasts.

Now you need a network diagram to find out where the traffic flows and where the congestion points are inplace.

when you have all this you can start putting up a baseline for your network.

when you have that baseline you can start to look for deviations of it.

if you on the otherhand just want to use it to fix a flawed com link then just use the monitor session command and put a mirror port up to see what happens and what responses the faulty/slow system gives and gets.

there are some good books on wireshark.

good luck


This Discussion