Wireshark – For those who choose to do more with less

The philosophy of doing more with less sounds good, but it is not always practical. It takes effort and lots of practice to get to this methodology. I used to carry a “multi-tool” with me. It was like having a mini toolkit I could fold it up and carry in my pocket. It was great, but over time I started to think it was a little heavy and opted to leave it in my actual tool bag and went back to carrying a small Swiss Army knife. It was smaller and lighter. I learned to get the most out of it and found that I didn’t miss the larger, heavier multi-tool as much as I originally thought. In fact I learned a few tricks over the years that I probably would not have discovered if I hadn’t forced myself to do more with less.

This is the philosophy I try to adhere to for troubleshooting communications issues – whether it be a network, application, or hardware based issue. I see a lot of techs load up their laptops with lots of assorted and expensive software that I have learned over time that I really don’t need. I was never a big fan of “point and click” or “proprietary configuration wizards”. If the “application” can leverage the operating system to produce a desired result – maybe I can too without all the bells and whistles….and costly licensing fees. Usually I can find a simpler solution right from the command line. Windows, Linux, and Unix all have great shells to work with. If I can use Bash, Netsh, or Powershell, I will. There are some exceptions to this rule that I make when it comes to a tool as close to a Swiss Army Knife as Wireshark.

I used to rely on tcpdump, but Wireshark, and Tshark are just too good to not to have available for troubleshooting networking problems.

Wireshark continues to get handier as its development team continues to improve and evolve the software. As with anything I really like, I still have to work at learning how to use Wireshark, and the best way for me to improve my skillset is to practice, practice, practice. I read all I can, listen to all the experts, and most importantly – I use it. You can get a lot of useful info at Wireshark.org, so I won’t try to rehash any of that. The resources from the Wireshark community are incredible.

Whenever a new revision of Wireshark is released – It makes my day. I play around with the development releases, but the official release candidate is always the big deal for me. The stable release is very practical, but I usually download and start using the new release as soon as I can.

The latest current release is usually available for Windows before many of the Linux repositories, but most repositories will have their “ stable” release – which isn’t always the same across the board for all distros. Today the Ubuntu and Arch repositories are one version apart. Ubuntu’s latest stable PPA is available also, but it’s not the same as the Windows latest version. I usually run both Windows and Arch, mainly because I prefer to work with Linux, so I usually run the latest available version for LINUX.

This latest 2.4 release however has the TRANSUM plugin already built into the main release, where I have to manually install TRANSUM in 2.2.8 or 2.2.7 for Linux. It’s not too difficult, but I like having it already built in. If you’re not familiar with the TRANSUM plugin I suggest you visit the LoveMyTool.com site and read the “Wireshark Transum Quickstart” by Tony Fortunato, or the Community.tribelab.com resource pages. It’s a very cool plugin if your interested in performance analysis. I ran into a few problems getting the TRANSUM protocol to show up at first because I didnt have the protocol eneabled. You’ll find that under your Analyze tab “Enabled Protocols”. Once I enabled the Transum protocol I was able to see the ADPU Response, Service Time, Request Spread, and Response Spread times all under the Transum packet details located right below TCP. UDP is supported as well.

The bottom line is as always – do the work, practice, practice, practice. Learn to do more with less, and get to the point where you can make the hard stuff look effortless. I know you can use the trace function in Windows to capture packets, and yes you can open ETL files in Microsoft’s old Network Monitor 3.4 or the new Message Analyzer, but I prefer to use Wireshark and Tshark. This is mainly because I prefer to use LINUX…….and yes I know Wireshark will work on Mac’s OSX. Which by the way I really like because of the UNIX lineage. Mac is a whole other topic. I should probobly use the Mac version more because it is more of a daily driver for a lot of techs, but I tend to rely on Linux. I use Windows because I have to, I use Linux because I want to. Luckily Wireshark is available for all three main Operating Systems that I use. I must admit though that Windows 10 pro works very well with Wireshark in my experience. I really like Windows 10 Pro, but there’s still a lot of hesitation in some areas to leave Windows 7. Fortunatlly Wireshark seems to have no issues that I have seen running on Win7. So if I can only add one application to a very basic “troubleshooting laptop” build – it will be Wireshark.

Windows 10 command line

Windows 10 Command Line Tips and Info

If you like to work at the command line with nothing more than a curser and some text, but you’re not really into PowerShell, have no fear the “Administrative Command Prompt” is here. Ok, so that’s really nothing new to you. You probably even use netsh to check your firewall status

netsh advfirewall>show currentprofile

 or survey your wireless LAN.

netsh wlan show all  

Maybe all you need to do is check your “ipconfig /all” status every so often. If you just want to know what your computer’s name is on the network all you need to do is run the “hostname” command. “net users” command to see who is on the network. Very basic but useful things you can do from the command line or shell.
Well let’s see, maybe you already know about the Windows Management Instrumentation Command line (WMIC), but you really don’t use it that much. Maybe you’ve never known about it. It tends to be a mystery to many, but why should it be. It’s not like it’s hidden or anything. I believe that when it comes to working efficiently it’s sometimes very productive to venture into territories that are not often traveled by most. Let’s see if we can find something here to make our work a little simpler.
At your command line type what’s in between the quotes: “wmic /?” (enter)

Terminal Output:

[global switches] <command>

The following global switches are available:

/NAMESPACE Path for the namespace the alias operate against.

/ROLE Path for the role containing the alias definitions.

/NODE Servers the alias will operate against.

/IMPLEVEL Client impersonation level.

/AUTHLEVEL Client authentication level.

/LOCALE Language id the client should use.

/PRIVILEGES Enable or disable all privileges.

/TRACE Outputs debugging information to stderr.

/RECORD Logs all input commands and output.

/INTERACTIVE Sets or resets the interactive mode.

/FAILFAST Sets or resets the FailFast mode.

/USER User to be used during the session.

/PASSWORD Password to be used for session login.

/OUTPUT Specifies the mode for output redirection.

/APPEND Specifies the mode for output redirection.

/AGGREGATE Sets or resets aggregate mode.

/AUTHORITY Specifies the <authority type> for the connection.

/?[:<BRIEF|FULL>] Usage information.

For more information on a specific global switch, type: switch-name /?

The following alias/es are available in the current role:

ALIAS – Access to the aliases available on the local system

BASEBOARD – Base board (also known as a motherboard or system board) management.

BIOS – Basic input/output services (BIOS) management.

BOOTCONFIG – Boot configuration management.

CDROM – CD-ROM management.

COMPUTERSYSTEM – Computer system management.

CPU – CPU management.

CSPRODUCT – Computer system product information from SMBIOS.

DATAFILE – DataFile Management.

DCOMAPP – DCOM Application management.

DESKTOP – User’s Desktop management.

DESKTOPMONITOR – Desktop Monitor management.

DEVICEMEMORYADDRESS – Device memory addresses management.

DISKDRIVE – Physical disk drive management.

DISKQUOTA – Disk space usage for NTFS volumes.

DMACHANNEL – Direct memory access (DMA) channel management.

ENVIRONMENT – System environment settings management.

FSDIR – Filesystem directory entry management.

GROUP – Group account management.

IDECONTROLLER – IDE Controller management.

IRQ – Interrupt request line (IRQ) management.

JOB – Provides access to the jobs scheduled using the schedule service.

LOADORDER – Management of system services that define execution dependencies.

LOGICALDISK – Local storage device management.

LOGON – LOGON Sessions.

MEMCACHE – Cache memory management.

MEMORYCHIP – Memory chip information.

MEMPHYSICAL – Computer system’s physical memory management.

NETCLIENT – Network Client management.

NETLOGIN – Network login information (of a particular user) management.

NETPROTOCOL – Protocols (and their network characteristics) management.

NETUSE – Active network connection management.

NIC – Network Interface Controller (NIC) management.

NICCONFIG – Network adapter management.

NTDOMAIN – NT Domain management.

NTEVENT – Entries in the NT Event Log.

NTEVENTLOG – NT eventlog file management.

ONBOARDDEVICE – Management of common adapter devices built into the motherboard (system board).

OS – Installed Operating System/s management.

PAGEFILE – Virtual memory file swapping management.

PAGEFILESET – Page file settings management.

PARTITION – Management of partitioned areas of a physical disk.

PORT – I/O port management.

PORTCONNECTOR – Physical connection ports management.

PRINTER – Printer device management.

PRINTERCONFIG – Printer device configuration management.

PRINTJOB – Print job management.

PROCESS – Process management.

PRODUCT – Installation package task management.

QFE – Quick Fix Engineering.

QUOTASETTING – Setting information for disk quotas on a volume.

RDACCOUNT – Remote Desktop connection permission management.

RDNIC – Remote Desktop connection management on a specific network adapter.

RDPERMISSIONS – Permissions to a specific Remote Desktop connection.

RDTOGGLE – Turning Remote Desktop listener on or off remotely.

RECOVEROS – Information that will be gathered from memory when the operating system fails.

REGISTRY – Computer system registry management.

SCSICONTROLLER – SCSI Controller management.

SERVER – Server information management.

SERVICE – Service application management.

SHADOWCOPY – Shadow copy management.

SHADOWSTORAGE – Shadow copy storage area management.

SHARE – Shared resource management.

SOFTWAREELEMENT – Management of the elements of a software product installed on a system.

SOFTWAREFEATURE – Management of software product subsets of SoftwareElement.

SOUNDDEV – Sound Device management.

STARTUP – Management of commands that run automatically when users log onto the computer system.

SYSACCOUNT – System account management.

SYSDRIVER – Management of the system driver for a base service.

SYSTEMENCLOSURE – Physical system enclosure management.

SYSTEMSLOT – Management of physical connection points including ports, slots and peripherals, and propr
ietary connections points.

TAPEDRIVE – Tape drive management.

TEMPERATURE – Data management of a temperature sensor (electronic thermometer).

TIMEZONE – Time zone data management.

UPS – Uninterruptible power supply (UPS) management.

USERACCOUNT – User account management.

VOLTAGE – Voltage sensor (electronic voltmeter) data management.

VOLUME – Local storage volume management.

VOLUMEQUOTASETTING – Associates the disk quota setting with a specific disk volume.

VOLUMEUSERQUOTA – Per user storage volume quota management.

WMISET – WMI service operational parameters management.

For more information on a specific alias, type: alias /?

CLASS – Escapes to full WMI schema.

PATH – Escapes to full WMI object paths.

CONTEXT – Displays the state of all the global switches.

QUIT/EXIT – Exits the program.

well now what do you see?

There should be some global switches, available aliases.
There’s a lot of useful commands here to explore and learn about.
The last alias in the list should tell you how to exit the program by typing QUIT/EXIT.
and finally an info line that states:”For more information on CLASS/PATH/CONTEXT, type: (CLASS | PATH | CONTEXT) /?”
Now if you want to do all this in PowerShell’s ISE, you can – it should work. It might even be a little easier to read depending on how your current shell is set up, but I’ll stay in the good old Administrator: Command Prompt for now.
To demonstrate that there are usually more ways to get the information or results you’re looking for we’ll do one thing two different ways.
One of the things I like to check in powershell is the current status of any recently installed hotfixes.
In Powershell it’s fairly simple. I even sort them in order of when they were installed:
Get-hotfix | sort “InstalledOn”
In WMIC it’s even easier to see what HotFixes are installed and list some info about the operating System.
wmic:root\cli>os assoc
You should see your Operating System info, Computer system name, and all your security updates. You could get even more data by just running “systeminfo” at the regular command prompt or if all you really want is to look at a simple GUI for information about your system you can always just type in “msinfo32.exe“, but that’s no fun. There’s lots of useful commands that you can run from the command line. Powershell is very powerful, but the regular cmd or netsh prompts still have a lot to offer.

%d bloggers like this: