01 - Network Troubleshooting from Scratch | Learn Wireshark @ SF22US

Introduction

This tutorial provides a structured approach to network troubleshooting using Wireshark, based on a session from the SharkFest conference. You'll learn essential principles, troubleshooting goals, and practical scenarios to enhance your skills in diagnosing network issues effectively.

Step 1: Understand Principles of Troubleshooting

• Familiarize yourself with the core principles:
  • Identify the problem: Gather as much information as possible about the network issue.
  • Establish a theory: Formulate hypotheses based on the symptoms observed.
  • Test the theory: Use tools like Wireshark to validate your assumptions.
  • Document findings: Keep a detailed record of observations and solutions for future reference.

Step 2: Set Clear Troubleshooting Goals

• Define what you aim to achieve:
  • Identify the exact issue: Determine if it’s a connectivity problem, performance slowdown, or something else.
  • Minimize downtime: Quickly restore services to prevent productivity loss.
  • Prevent future issues: Learn from the current issue to avoid repetition.

Step 3: Establish Connection State

• Utilize Wireshark to analyze connection states:
  • Capture packets: Start a Wireshark capture to monitor network traffic.
  • Examine TCP states: Look for SYN, SYN-ACK, and ACK packets to ensure a proper handshake.
  • Identify dropped packets: Check for retransmissions or unusual delays that may indicate issues.

Step 4: Analyze Time to Live and Hop Count

• Understand these concepts:
  • Time to Live (TTL): It defines the lifespan of a packet in the network. Monitor TTL values to detect routing loops.
  • Hop Count: Count the number of devices a packet traverses. Excessive hop counts can indicate inefficiencies in routing.

Step 5: Apply Real World Scenarios

• Engage with practical examples:
  • Evil Firewall Scenario: Analyze a case where a firewall is blocking legitimate traffic. Use the packet capture to identify rules that may be misconfigured.
  • We Have a Problem Scenario: Investigate a case of intermittent connectivity. Look for patterns in packet loss or unusual traffic spikes.

Step 6: Perform Connection Breakdown

• Conduct a detailed packet analysis:
  • Follow TCP streams: Use Wireshark’s feature to follow specific TCP streams for a clearer view of the communication.
  • Inspect application layer data: Look at the payloads to identify issues related to application protocols.

Conclusion

By following these steps, you can enhance your network troubleshooting skills using Wireshark. Remember to document your findings, continue practicing with real-world scenarios, and stay updated with the latest Wireshark features. As you gain experience, you'll become more adept at quickly diagnosing and resolving network issues. For further learning, consider attending events like SharkFest for in-depth workshops and expert insights.