Friday, January 30, 2015

Tips for Troubleshooting Your Communication Issues with Wireshark

Posted by Ray Labbe

Communication issues within industrial or information technology networks are some of the hardest to troubleshoot and isolate in any industry. Even a simple network has a variety of potential failure points. Are packets getting dropped by a router? Is a device unresponsive because of too many requests? Is the device configuration incorrect and preventing the proper establishment of communications? Luckly, there are a variety of tools and techniques available to help isolate the root of these issues. One of the more powerful tools available is an application called Wireshark.

What is Wireshark?

Wireshark is an open source network packet analyzer that can help display packet data as detailed as needed. This is done by capturing network packets and using “dissectors” to breakdown and interpret the packet’s “ones and zeros” based on its protocol. Various statistical analysis, such as network utilization calculations, can also be accessed in Wireshark using the information the dissectors provide. This capability allows you to visualize and understand the complex elements and behaviors of the communications occurring between the devices on your network. Because it’s open source, it’s free to use and has builds across multiple platforms (including UNIX, Windows, and Mac OS X). Wireshark also has a large community of developers and users available to make enhancements or answer questions.

Does Kepware Use Wireshark?

At Kepware, we understand the criticality of needing to quickly identify communication issues within a variety of environments. Whether it’s a manufacturing plant floor or oil production field, these issues can result in the loss of critical data or added downtime to the facility. Wireshark network packet captures are a valuable tool for our customer-facing support teams—Technical Support and Engineering Solutions—to help isolate and identify communication issues. When necessary, these teams will request network captures from customers to help gather additional data for analysis. BACnet/IP, OPC UA, IEC 60870 and 61850, Logix EtherNet/IP, and MODBUS/TCP are examples of protocols we commonly use Wireshark network captures for in our investigation process. When this data is provided in addition to an Application Report and the OPC Diagnostics from KEPServerEX, it often gives additional insight into the connection being made between the client applications and KEPServerEX and between KEPServerEX and the devices.


How Do I Troubleshoot An Intermittent Issue?

Intermittent communication issues can be some of the hardest cases to solve. By their very nature, they are hard to reproduce and happen so infrequently that observing the event to gather additional data is difficult. Wireshark contains features that can help to gather data for these types of issues. While setting up the network capture, you can configure it to extend your capture file storage while Wireshark is gathering and recording network packets. The setup is very flexible and provides users the ability to identify how capture files are saved, how often to create new capture files, and how to create a ring buffer to record the captured network traffic. For example, you could configure a ring buffer to contain data from the last two days. That provides 48 hours of time to gather the data after an event occurred. Make sure you conduct some initial testing before configuring these extended storage options, however. You’ll want to ensure that your capture configuration will not fill up your hard drive, which would cause the capture—and potentially the computer running Wireshark—to fail.


Great! But What If Wireshark Doesn’t Have a Dissector for My Protocol?

While many industries attempt to use standardized protocols for device communications, there are always scenarios where a non-standard or home-grown application protocol must be used. These protocols may use TCP to transport the data between the devices, but without a dissector, the data payload will just be bytes of hex values with no context as to what the data represents. Luckily, Wireshark provides you with two methods to create your own dissectors: Lua API and create shared library (.dll) using C.

The Lua API method creates dissectors as well as chain and post dissectors to post-process data from other dissectors in Wireshark. As a scripting language, Lua enables you to make corrections or modifications to your dissector without compiling.

Dissection using C will inherently operate faster and provide more functionality to add to your dissector because the Lua API only includes a subset of Wireshark’s functions. That said, creating and modifying a dissector in C requires the Wireshark source code and a compiler. Understanding the requirements for the dissector you are creating will help guide you in determining which method is best.

What Next?

Wireshark is a powerful tool that can be important to any organization’s communication monitoring or troubleshooting plans. The features discussed here are only a small sample of what the application is able to do. Whether you’re a network administrator needing to investigate network performance and security problems or a computer science and engineering student looking to better understand network protocol internals, Wireshark can help you with your network communication and protocol tasks. I encourage you to visit for more information how to use Wireshark and to try it out if you haven’t already.