Wireshark 301: Finding the busiest computers on your network

Network Latency is a big issue but how do you find the busiest computers on your network?

With Wireshark, it’s super easy.  Let’s not waste any time!

There are three ways to zoom in on individual network conversations in Wireshark.  You can see which protocols are the busiest and you can see the exact network applications that are responsible for that traffic.

I’m going to show you three easy methods to isolate your top offenders and then we’ll finish things off by reviewing some interesting statistics between those devices.

Bashing the busiest offenders

You have three options for reviewing individual traffic streams.

  • Stream Filters
  • Conversation Filters
  • Follow the TCP stream

Let’s look at TCP since it’s the most interesting.

Scoping out Stream Filters

I’ve got a packet capture here between my Windows 8.1 PC and ubuntu.com

If you click a TCP segment in the PDU list you’ll see a [Stream Index] value in the PDU details pane.

This number shows you which TCP conversation you selected.  Each TCP session gets a unique stream index number so we’re looking at stream number 0.

TCP Stream Index

Also notice the value in the status bar says tcp.stream.  If you right click the TCP stream, mouse over Prepare as filter and pick Selected you’ll see all the data for just that stream

It actually updates the Display Filter to show the TCP stream for the given stream index. ]Prepare as Stream in WiresharkThis is probably one of the fastest ways to see all the data for a given stream.

Conversation Filters

Have you ever gone to a rowdy cocktail party and just wished you could mute everyone else in the room?  It’s like trying to have a phone call from the front row of a rock concert.  It would be super nice if you could download an app to turn the volume down on a the world for a moment.

Wireshark gives you this super muting power – the only difference is that the mute button applies to network conversations.

We can ignore everything except interesting network conversations.

Right-click the appropriate row in Wireshark and choose Conversation Filter.

If you pick Ethernet it’ll filter layer 2 frames, IP filters layer 3 packets and TCP filters layer 4 segments.  It’s a great way to quickly strip superfluous information from your Wireshark view.

Conversation Filters in Wireshark

Following TCP stream

The last option is to simply right click the TCP segment and choose Follow TCP Stream.  This was the first Wireshark trick I learned back in college.  I remember being captivated by all the information Wireshark was able to cull from the wire and reassemble.  It was amazing. (and it still is!)

I mean just look at the gold Wireshark mined from this packet capture.

The Stream Content is showing me that the user attempted to access a resource called t-shirt.png using Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0 which is IE 11 on Windows 8.1.

How did I know that?  I just copied and dropped that User Agent string into user-agents.me.

It’s amazing how much data you can pull from packet captures.

Follow TCP Stream

So here’s the question: who is our biggest talker on the network?

And the answer is all in the statistics.  We can then create display filters based on the statistics.

Click Statistics in the menu bar and hit Conversations from the drop down menu.

Wireshark Conversations

You’ll see tabs for all the conversations in the capture with the number of streams.  Let’s pick TCP.

Conversation Tabs

And now ladies and gentleman prepare to be astounded!

Double click the Bytes column to see which IP address on your network was sending the most traffic on the link.

Isn’t this cool?  You can see the source host, the destination server, protocol and number of bytes transmitted.

Wireshark Conversation Details

These are your top talkers.

Now just right click your most garrulous TCP segment, go to Apply as Filter, choose Selected and determine how you want it.  You can see all traffic between A (10.0.2.15) and B (assets.ubuntu.com) in both directions.  But that’s not the only option.

You can also show just the traffic sent from A to B or from B to A.  Or even from A to anyone and more.  Wireshark gives you ultimate control in filtering your packets and this is why I freggin’ adore this application.

Praise God for the Shark!

Apply as Filter Statistic

That’s how it works.

Now go to that users cubilcle and shut him down.  Tell him to stop slurping all the bandwidth from your other users who are actually trying to do work!

hahha.

Alright that’s it for this one.  I’m so glad you’ve joined me on our adventures into Wireshark.  Let me know if you have in questions in the comments below.

About

Connect with Vonnie on Twitter

Posted in Linux, Mac OS X 10.10 Yosemite, Mac OS X 10.8 Mountain Lion, Mac OS X 10.9 Mavericks, What Is, Windows, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Vista, Windows XP Tagged with: , , ,