Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
well what sort of thing do you really want to know? i've always found the official documentation very concise and useful. wireshark is an amazingly useful tool to the right person, i couldn't do my job without it at all...
well what sort of thing do you really want to know?
- like how do you use it to monitor your network, how do you analyze its output, and how do you use it to know if something is wrong with your network. and others
If you're looking for a tool that says "there is a virus on your network", Wireshark is not it. Wireshark will show you each packet and is more useful to see the exact content of packets. It allows you to tell if, for example, a server is not responding, or is responding with an error.
well in terms of knowing what's wrong and such, that's not *really* wiresharks job. it doesn't do "health checks" and such. it's really up to the user to know what they are looking at, and that includes tcp/ip knowledge, strcuture of layer 5 - 7 data within ip protocols. wireshark tries to present as much of any given protocol in a deconstructed way as possible, i.e. splitting up http requests field by field, but it can only present you raw data in simpler formats, it's still going to require you to understand the relevance of a TCP RST flag, or an HTTP POST for example.
One big step forward that would help you is the "foloow tcp stream" feature. right click on any packet in the list and select it. that'll then filte to only show a single tcp stream, including packet resends and errors and such.
well in terms of knowing what's wrong and such, that's not *really* wiresharks job. it doesn't do "health checks" and such.
- actually this is not my problem.
- im new to wireshark and my real problem is that how do you interprete or analyze those raw data that its showing.
Quote:
it's really up to the user to know what they are looking at, and that includes tcp/ip knowledge, strcuture of layer 5 - 7 data within ip protocols. wireshark tries to present as much of any given protocol in a deconstructed way as possible
- so your saying that in order for me a newbie to wireshark to understand what the wireshark is showing is to first undertand TCP/IP protocols and others?
Well in general, yes. it's there to explode the IP packets for you so you can get at the "good stuff" without decoding binary stream and such. In a potentially similar way to a lot of the mentality behind Linux itself, which you've probably (or rather, hopefully) come to appreciate, if you try to be too clever within an application, it typically quickly moves to reducing control, functionality and flexibility within said app. So without that base knowledge of tcp/ip etc.. it may well be pointless you being given some "answers" by an analysis program at such a low level of detail. of course wireshark does do *some* of this, but it's about giving you all the info for you to use as you see fit, not tell you what it thinks you might want to know.
Of course, it's utterly down to what problems you are trying to solve as to what knowledge you need. (Almost) any old fool should be able to appreciate the presence of a tcp communication in both directions or not, but when you're trying to analyze err... fluctuating TCP window sizes or rogue RST packets, then you'll need a suitably greater knowlegde of the subject.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.