Understanding IP Broadcast Production Networks: Part 11 - Network Analyzers

Wireshark is an invaluable tool that enables engineers to examine network traffic in detail.

Wireshark is an open-source packet analyzer running on Linux, UNIX type systems and Windows. Originally called Ethereal and first released in 1998, the name was changed to Wireshark as Ethereal was already a registered trademark.

Wireshark allows engineers to see what is going on under the hood of a network by monitoring an Ethernet port in promiscuous mode and then decoding and displaying the packets. With the intuitive graphical interface, it’s very easy to drill down into an IP packet, and then Ethernet frame to see the actual data.

Promiscuous mode is required as Ethernet interface cards generally only pass two types of packets to the CPU; when the destination Media Access Control (MAC) address is the same as that of the card, or the destination MAC is the broadcast address. This would be a serious limitation for any network monitoring device as it would not be able to see packets on the rest of the network.

To bypass this limitation promiscuous mode enables the NIC to pass all Ethernet frames to the CPU regardless of source and destination MAC addresses. Clearly this could be a major security issue as anybody operating in promiscuous mode with a packet analyzer would be able to view and decode all packets within a network.

Figure 1 - Wireshark Showing TCP Packets from Multiple Sources and Destinations.

Figure 1 - Wireshark Showing TCP Packets from Multiple Sources and Destinations.

To reduce security risks, the network administrator will only allow your desk computer to receive frames and packets associated with its VLAN or destination MAC address. In this case, promiscuous mode would have no effect as your computer would not be receiving frames from the rest of the network.

Wifi, by its very nature will receive data from many areas of the network. Laptops vary in their ability to operate in Wifi promiscuous mode, but even if they don’t then a cheap Wifi dongle can be purchased to allow it. Wireshark can be used to monitor applications used and type of traffic flowing on smart phones, tablets and other devices using WiFi, providing the Wireshark host system is equipped with a WiFi card that supports monitoring mode.

Voice Over Internet Protocol (VOIP) is becoming an industry standard enabling telephony over IP networks instead of having to run the traditional two-wire with ringers to each desk, and VOIP apps are readily available for smart phones. However, to allow their use the network administrator will have to enable VOIP traffic over Wifi.

A Wifi packet analyzer working in promiscuous mode will be able to receive VOIP traffic, and if it’s not encrypted we will be able to listen to the conversation. As the packet analyzer is passive there is no way of detecting if somebody is listening to your conversation. VOIP must be encrypted to stop unauthorized snooping.

Figure 2 - Wireshark Showing ARP Broadcast Packets.

Figure 2 - Wireshark Showing ARP Broadcast Packets.

Broadcast engineers generally work with point-to-point connections, and monitoring consists of either inserting a jack on the listen socket of an audio jack-field or pulling the U-link on a video patch bay. In computer networks, this concept is not available to us, especially if the network is resilient. Pulling a patch-cord out of a server or switch could result in the network believing a link has failed and re-routing all the traffic through another switch or router, in effect removing the traffic we want to monitor.

Ports on managed switches and routers can be configured to work in monitor mode providing all the network traffic for that segment on one port. This can be connected to a computer with Wireshark installed so monitoring can take place. Close collaboration with the network administrator is required to make this possible and the request will probably raise a few eyebrows.

The limiting factor within Wireshark is the hardware it is running on and the speed of the monitoring port on the switch. It would be impossible to monitor a UHD camera feed running at 12Gbps on a 100 Megabit Ethernet server NIC, and a much faster NIC will be required. At these speeds servers start to become very expensive and disc drives fill up very quickly.

Installing Wireshark is very easy and consists of downloading the pre-compiled binaries and installing them onto the target server. For slower networks, a laptop could be used. As this is open-source software the source code is available, empowering engineers to really get under the hood and find out how the code works, or even develop it further.

Many a time engineers have been frustrated at the lack of documentation of a product when trying to configure and install it or suspect bugs that won’t be acknowledged by the vendor. With open-source software that frustration goes away as we can literally look at the code to find out how it works and improve the product and increase our knowledge.

Operating Wireshark is very easy. Once installed the program is executed and the network interface selected from the intuitive GUI. Depending on the configurations chosen during installation there may be multiple network interfaces available, including USB connections. Start the capture by selecting the Ethernet interface and clicking on the record button, the screen will soon fill up with all the network traffic being presented to the Wireshark server.

Once a sufficient amount of data has been captured click on the “stop capture” button on the tool bar and analysis of the data packets can begin. By clicking on the arrows at the beginning of each packet, we can drill further and further into the data to find out what is happening in the network and how it is working.

The hex-viewer window even allows us to look at actual data within the packets. On a busy office network, it soon becomes apparent that some software is not as secure as it might first appear, especially when the passwords are sent in unencrypted open text mode.

Filters can be selected during capture mode to look for specific packets, either by protocol, type, or address. This makes Wireshark a fantastic tool and captures can be streamlined to find a problem and saved for off-line analysis using Wireshark’s edit tools.

Broadcast engineers must understand what is going on inside an IP network to make sure the strict timing constraints we work to are respected, even more so than the network administrator. Wireshark is the ultimate network training and diagnosis tool and should be understood by every broadcast engineer wanting to excel in the IP domain. But expect a lot of resistance from the network administrator when you turn up with Wireshark.

You might also like...

IP Monitoring & Diagnostics With Command Line Tools: Part 7 - Remote Agents

How to run diagnostic processes in each machine and call them remotely from a centralised system that can marshal the results from many other networked systems. Remote agents act on behalf of that central system and pass results back to…

Growing Momentum For 5G In Remote Production

A combination of factors that includes new 3GPP 5G standards & optimizations that have reduced latencies & jitter, new network slicing capabilities and the availability of new LEO satellite services are bringing increasing momentum to the use of 5G for…

Building Software Defined Infrastructure: Part 4 - Integration

Welcome to Part 4 of Building Software Defined Infrastructure. This multi-part content series from Tony Orme explores the microservices based IT technologies that are driving the next phase of transition from hardware to software based broadcast systems. This series is essential…

Monitoring & Compliance In Broadcast: Accessibility & The Impact Of AI

The proliferation of delivery devices and formats increases the challenges presented by accessibility compliance, but it is an area of rapid AI powered innovation.

IP Monitoring & Diagnostics With Command Line Tools: Part 6 - Advanced Command Line Tools

We continue our series with some small code examples that will make your monitoring and diagnostic scripts more robust and reliable