Understanding IP Broadcast Production Networks: Part 11 - Network Analyzers

Wireshark is an invaluable tool that enables engineers to examine network traffic in detail.

Wireshark is an open-source packet analyzer running on Linux, UNIX type systems and Windows. Originally called Ethereal and first released in 1998, the name was changed to Wireshark as Ethereal was already a registered trademark.

Wireshark allows engineers to see what is going on under the hood of a network by monitoring an Ethernet port in promiscuous mode and then decoding and displaying the packets. With the intuitive graphical interface, it’s very easy to drill down into an IP packet, and then Ethernet frame to see the actual data.

Promiscuous mode is required as Ethernet interface cards generally only pass two types of packets to the CPU; when the destination Media Access Control (MAC) address is the same as that of the card, or the destination MAC is the broadcast address. This would be a serious limitation for any network monitoring device as it would not be able to see packets on the rest of the network.

To bypass this limitation promiscuous mode enables the NIC to pass all Ethernet frames to the CPU regardless of source and destination MAC addresses. Clearly this could be a major security issue as anybody operating in promiscuous mode with a packet analyzer would be able to view and decode all packets within a network.

Figure 1 - Wireshark Showing TCP Packets from Multiple Sources and Destinations.

Figure 1 - Wireshark Showing TCP Packets from Multiple Sources and Destinations.

To reduce security risks, the network administrator will only allow your desk computer to receive frames and packets associated with its VLAN or destination MAC address. In this case, promiscuous mode would have no effect as your computer would not be receiving frames from the rest of the network.

Wifi, by its very nature will receive data from many areas of the network. Laptops vary in their ability to operate in Wifi promiscuous mode, but even if they don’t then a cheap Wifi dongle can be purchased to allow it. Wireshark can be used to monitor applications used and type of traffic flowing on smart phones, tablets and other devices using WiFi, providing the Wireshark host system is equipped with a WiFi card that supports monitoring mode.

Voice Over Internet Protocol (VOIP) is becoming an industry standard enabling telephony over IP networks instead of having to run the traditional two-wire with ringers to each desk, and VOIP apps are readily available for smart phones. However, to allow their use the network administrator will have to enable VOIP traffic over Wifi.

A Wifi packet analyzer working in promiscuous mode will be able to receive VOIP traffic, and if it’s not encrypted we will be able to listen to the conversation. As the packet analyzer is passive there is no way of detecting if somebody is listening to your conversation. VOIP must be encrypted to stop unauthorized snooping.

Figure 2 - Wireshark Showing ARP Broadcast Packets.

Figure 2 - Wireshark Showing ARP Broadcast Packets.

Broadcast engineers generally work with point-to-point connections, and monitoring consists of either inserting a jack on the listen socket of an audio jack-field or pulling the U-link on a video patch bay. In computer networks, this concept is not available to us, especially if the network is resilient. Pulling a patch-cord out of a server or switch could result in the network believing a link has failed and re-routing all the traffic through another switch or router, in effect removing the traffic we want to monitor.

Ports on managed switches and routers can be configured to work in monitor mode providing all the network traffic for that segment on one port. This can be connected to a computer with Wireshark installed so monitoring can take place. Close collaboration with the network administrator is required to make this possible and the request will probably raise a few eyebrows.

The limiting factor within Wireshark is the hardware it is running on and the speed of the monitoring port on the switch. It would be impossible to monitor a UHD camera feed running at 12Gbps on a 100 Megabit Ethernet server NIC, and a much faster NIC will be required. At these speeds servers start to become very expensive and disc drives fill up very quickly.

Installing Wireshark is very easy and consists of downloading the pre-compiled binaries and installing them onto the target server. For slower networks, a laptop could be used. As this is open-source software the source code is available, empowering engineers to really get under the hood and find out how the code works, or even develop it further.

Many a time engineers have been frustrated at the lack of documentation of a product when trying to configure and install it or suspect bugs that won’t be acknowledged by the vendor. With open-source software that frustration goes away as we can literally look at the code to find out how it works and improve the product and increase our knowledge.

Operating Wireshark is very easy. Once installed the program is executed and the network interface selected from the intuitive GUI. Depending on the configurations chosen during installation there may be multiple network interfaces available, including USB connections. Start the capture by selecting the Ethernet interface and clicking on the record button, the screen will soon fill up with all the network traffic being presented to the Wireshark server.

Once a sufficient amount of data has been captured click on the “stop capture” button on the tool bar and analysis of the data packets can begin. By clicking on the arrows at the beginning of each packet, we can drill further and further into the data to find out what is happening in the network and how it is working.

The hex-viewer window even allows us to look at actual data within the packets. On a busy office network, it soon becomes apparent that some software is not as secure as it might first appear, especially when the passwords are sent in unencrypted open text mode.

Filters can be selected during capture mode to look for specific packets, either by protocol, type, or address. This makes Wireshark a fantastic tool and captures can be streamlined to find a problem and saved for off-line analysis using Wireshark’s edit tools.

Broadcast engineers must understand what is going on inside an IP network to make sure the strict timing constraints we work to are respected, even more so than the network administrator. Wireshark is the ultimate network training and diagnosis tool and should be understood by every broadcast engineer wanting to excel in the IP domain. But expect a lot of resistance from the network administrator when you turn up with Wireshark.

You might also like...

The Big Guide To OTT: Part 10 - Monetization & ROI

Part 10 of The Big Guide To OTT features four articles which tackle the key topic of how to monetize OTT content. The articles discuss addressable advertising, (re)bundling, sports fan engagement and content piracy.

Next-Gen 5G Contribution: Part 2 - MEC & The Disruptive Potential Of 5G

The migration of the core network functionality of 5G to virtualized or cloud-native infrastructure opens up new capabilities like MEC which have the potential to disrupt current approaches to remote production contribution networks.

Standards: Part 8 - Standards For Designing & Building DAM Workflows

This article is all about content/asset management systems and their workflow. Most broadcasters will invest in a proprietary vendor solution. This article is designed to foster a better understanding of how such systems work, and offers some alternate thinking…

Designing IP Broadcast Systems: Addressing & Packet Delivery

How layer-3 and layer-2 addresses work together to deliver data link layer packets and frames across networks to improve efficiency and reduce congestion.

The Business Cost Of Poor Streaming Quality

Poor quality streaming loses viewers at an alarming rate especially when we consider the unintended consequences of poor error reporting on streaming players.