I'm a big fan of Wireshark, an open source tool to capture and analyze network traffic. Wireshark can be very helpful in terms of network troubleshooting and analysis. I recently came across a great tip from Chris Greer, a Senior Network Analyst on how to add useful columns, as well as recommendations for which columns are most commonly used (detailed below). If you have any tips that you would like to share to help network managers, please send them along.
What are the best columns to display?
Wireshark allows you to easily display specific packet data in the summary view. Depending on the problem you are looking for, it may be useful to add or remove custom columns so you only see information that will really help you solve the problem. For example, it's not always useful to display the IP identification number for every packet in the trace file as a column on the top of the screen. But, one thing that is quite useful to display for most problems is the size of each packet.
How to add and remove columns.
Open up any trace file in Wireshark. At first, in the top screen, you will see a frame number, a time column (usually elapsed time from the start of the capture), source and destination addresses, what protocol is used, and finally a summary of what the packet contains. While this data is great to start out with, it won't take long before adding a column of specific data will help.
To add a column, select Edit Preferences. This will bring up the Preferences window where Columns can be selected from the left. The default columns will be displayed here. To add a column, click the Add button and select the desired information to add from the format menu. Name the column and then you are done.
For example, to add the packet length, select add, name the column Length, then select Packet Length from the Format Bar. By default, it will be added at the bottom of the list, which will make it appear on the far right of the summary view. To move it up, just drag and drop it up where it can be more easily seen, such as between the destination and protocol fields.
After adding the column, click the apply button and the length of the packet will now be displayed in the summary view of Wireshark.
What are the most useful columns?
This of course depends on what problem you are trying to resolve. Here are the ones I use with a description of why:
Delta Time – Handy to have in just about any situation. It is needed for measuring server response time, network roundtrip time, and other delays. Delta time can be displayed by modifying the already present time column in the View menu, or by adding delta time as its own column.
Cumulative Bytes – When moving large blocks of data, this column displays how much data has been sent. You can then divide by the time it took to send it and figure out the throughput used by the application.
In this data copy, after filtering on one direction of traffic and resetting the timers, we find that in .022 seconds, there was 193,220 bytes sent. (193,200 x 8)/.022 = Bitrate. This transfer took up 70Mbps of my line. Very useful when looking at backups!
TCP Window Size – Useful when TCP Window size is an issue, usually in larger file transfers. It can be added by selecting Custom from the column menu, then entering tcp.window_size in the field name. This column will show when and how often the TCP window drops, without needing to dig for this value in the packet details.
IP TOS (DiffSrv) – When monitoring traffic using the TOS field, such as VoIP, this column is helpful in viewing what bits are set and if QoS is configured for this value. It can be added selecting the IP DSCP Value option.
Using these columns makes it easier to spot problems in the summary view. They save you from needing to dig deep into every packet for a specific field, which saves a ton of time when troubleshooting!