The philosophy of doing more with less sounds good, but it is not always practical. It takes effort and lots of practice to get to this methodology. I used to carry a “multi-tool” with me. It was like having a mini toolkit I could fold it up and carry in my pocket. It was great, but over time I started to think it was a little heavy and opted to leave it in my actual tool bag and went back to carrying a small Swiss Army knife. It was smaller and lighter. I learned to get the most out of it and found that I didn’t miss the larger, heavier multi-tool as much as I originally thought. In fact, I learned a few tricks over the years that I probably would not have discovered if I hadn’t forced myself to do more with less.
This is the philosophy I try to adhere to for troubleshooting communications issues – whether it be a network, application, or hardware-based issue. I see a lot of techs load up their laptops with lots of assorted and expensive software that I have learned over time that I really don’t need. I was never a big fan of “point and click” or “proprietary configuration wizards”. If the “application” can leverage the operating system to produce the desired result – maybe I can too without all the bells and whistles….and costly licensing fees. Usually, I can find a simpler solution right from the command line. Windows, Linux, and Unix all have great shells to work with. If I can use Bash, Netsh, or Powershell, I will. There are some exceptions to this rule that I make when it comes to a tool as close to a Swiss Army Knife as Wireshark.
I used to rely on tcpdump, but Wireshark and Tshark are just too good to not to have available for troubleshooting networking problems.
Wireshark continues to get handier as its development team continues to improve and evolve the software. As with anything I really like, I still have to work at learning how to use Wireshark, and the best way for me to improve my skillset is to practice, practice, practice. I read all I can, listen to all the experts, and most importantly – I use it. You can get a lot of useful info at Wireshark.org, so I won’t try to rehash any of that. The resources and Wireshark tutorials from the community are incredible.
Whenever a new revision is released – It makes my day. I play around with the development releases, but the official release candidate is always the big deal for me. The stable release is very practical, but I usually download Wireshark and start using the new release as soon as I can.
The latest release is usually available for Windows before most of the Linux repositories, but most repositories will have their “ stable” release – which isn’t always the same across the board for all distros. Today the Ubuntu and Arch repositories are one version apart. Ubuntu’s latest stable PPA is available also, but it’s not the same as the Windows latest version. I usually run both Windows and Arch, mainly because I prefer to work with Linux, so I usually run the latest available version for Linux.
This latest 2.4 release, however, has the TRANSUM plugin already built into the main release, where I have to manually install TRANSUM in 2.2.8 or 2.2.7 for Linux. It’s not too difficult, but I like having it already built-in. If you’re not familiar with the TRANSUM plugin I suggest you visit the LoveMyTool.com site and read the “Wireshark Transum Quickstart” by Tony Fortunato, or the Community.tribelab.com resource pages. It’s a very cool plugin if you’re interested in performance analysis. I ran into a few problems getting the TRANSUM protocol to show up at first because I didn’t have the protocol enabled. You’ll find that under your Analyze tab “Enabled Protocols”. Once I enabled the TRANSUM protocol I was able to see the ADPU Response, Service Time, Request Spread, and Response Spread times all under the TRANSUM packet details located right below TCP. UDP is supported as well.
The bottom line is as always – do the work, practice, practice, practice. Learn to do more with less, and get to the point where you can make the hard stuff look effortless. I know you can use the trace function in Windows to capture packets, and yes you can open ETL files in Microsoft’s old Network Monitor 3.4 or the new Message Analyzer, but I prefer to use Wireshark and Tshark. This is mainly because I prefer to use Linux…….and yes I know Wireshark will work on Mac’s OSX. Which by the way I really like because of the UNIX lineage. Mac is a whole other topic. I should probably use the Mac version more because it is more of a daily driver for a lot of techs, but I tend to rely on Linux.
I use Windows because I have to, I use Linux because I want to.
Luckily Wireshark is available for all three main Operating Systems that I use. I must admit though that Windows 10 pro works very well with Wireshark in my experience. I really like Windows 10 Pro, but there’s still a lot of hesitation in some areas to leave Windows 7. Fortunately, Wireshark seems to have no issues that I have seen running on Win7. So if I can only add one application to a very basic “troubleshooting laptop” build – it will be Wireshark.