Wireshark is the most useful & popular tool for packet Level deep Network Analysis & Troubleshooting. Most importantly, it is open source. It is like a measuring meter or device to find and examine what is going on inside a network cable or port just like a multimeter is used by an electrician to examine what is going on inside an electric cable … but of course at much deeper level.
Wireshark or such SW tools are not something very new. Such tools were available in the past as well but they were very expensive and proprietary because they were mostly on dedicated hardware (same as OTDR and Spectrum Analysers are on dedicated HW till date).
Wireshark uses Filters to capture & display the packets. It has two types of filters:
i. Capture Filters
A capture filter is used to select which packets should be saved to disk while capturing. For capture filters wireshark uses a special methodology call BPF syntax which runs in the kernel. With the use of capture filters, only those packets are captured which are defined in the rules of Capture filter. It decreases the amount of data to be saved because full dissection of packets has not been done yet.
ii. Display Filters
After Capture is complete on a link using capture filter, we can use display filters to further refine what information we want to see & analyze. These are also useful when the capture filters were not used while capturing the traffic from wire. Here we do the full dissection of packets.
Below is an example where we have two atech Routers. I will first capture the traffic on link b/w R1 & R2 using the capture filters and then we will analyse the captured traffic using different display filters:
Both links are admin down, so there is no capture at the moment:
As soon as I enable the interfaces, we will see ‘ARP’, ‘LOOP’ & ‘CDP’. We can apply the capture filter to capture only the CDP & LOOP (for this example, I will capture all three):
After the capture is complete, we can save it & then we can apply different display filters to view the packets of our interest.
e.g. we can apply Display Filter to view only CDP data from the R1’s Port (based on its MAC) as in below:
You can follow the wireshark section of my website to find more detail on operators with examples.