All 14 articles in this series are now available in our free eBook ‘Understanding IP Production Networks - 2026 Edition’ – download it HERE.

All articles are also available individually:

Wireshark is an open-source packet analyzer running on Linux, UNIX type systems and Windows. Originally called Ethereal and first released in 1998, the name was changed to Wireshark as Ethereal was already a registered trademark.

Wireshark allows engineers to see what is going on under the hood of a network by monitoring an Ethernet port in promiscuous mode and then decoding and displaying the packets. With the intuitive graphical interface, it’s very easy to drill down into an IP packet, and then Ethernet frame to see the actual data.

Promiscuous mode is required as Ethernet interface cards generally only pass two types of packets to the CPU; when the destination Media Access Control (MAC) address is the same as To bypass this limitation promiscuous mode enables the Network Interface Card (NIC) to pass all Ethernet frames to the CPU regardless of source and destination MAC addresses. Clearly this could be a major security issue as anybody operating in promiscuous mode with a packet analyzer would be able to view and decode all packets within a network.

To reduce security risks, the network administrator will only allow your desk computer to receive frames and packets associated with its VLAN or destination MAC address. In this case, promiscuous mode would have no effect as your computer would not be receiving frames from the rest of the network.

Wifi, by its very nature will receive data from many areas of the network. Laptops vary in their ability to operate in Wifi promiscuous mode, but even if they don’t a cheap Wifi dongle can be purchased to allow it. Wireshark can be used to monitor applications used and the type of traffic flowing on smart phones, tablets and other devices using Wifi, providing the Wireshark host system is equipped with a Wifi card that supports monitoring mode.

VOIP

Voice Over Internet Protocol (VOIP) is becoming an industry standard enabling telephony over IP networks instead of having to run the traditional two-wire with ringers to each desk, and VOIP apps are readily available for smart phones. However, to allow their use the network administrator will have to enable VOIP traffic over Wifi.

A Wifi packet analyzer working in promiscuous mode will be able to receive VOIP traffic, and if it’s not encrypted, we will be able to listen to the conversation. As the packet analyzer is passive there is no way of detecting if somebody is listening to your conversation. VOIP must be encrypted to stop unauthorized snooping.

Monitoring

Broadcast engineers generally work with point-to-point connections, and monitoring consists of either inserting a jack on the listen socket of an audio jack-field or pulling the U-link on a video patch bay. In computer networks, this methodology is not available to us, especially if the network is resilient. Pulling a patch-cord out of a server or switch could result in the network believing a link has failed and re-routing all the traffic through another switch or router, in effect removing the traffic we want to monitor.

Ports on managed switches and routers can be configured to work in monitor mode providing all the network traffic for that segment are on one port. This can be connected to a computer with Wireshark installed so monitoring can take place. Close collaboration with the network administrator is required to make this possible and the request will probably raise a few eyebrows.

The limiting factor within Wireshark is the hardware it is running on and the speed of the monitoring port on the switch. It would be impossible to monitor a UHD camera feed running at 12Gbps on a 100 Megabit Ethernet server NIC, and a much faster NIC will be required. At these speeds servers start to become very expensive and disc drives fill up very quickly.

Install And Operation

Installing Wireshark is very easy and consists of downloading the pre-compiled binaries and installing them onto the target server. For slower networks, a laptop could be used. As this is open-source software the source code is available, empowering engineers to really get under the hood and find out how the code works or even develop it further.

Many a time engineers have been frustrated at the lack of documentation of a product when trying to configure and install it, or suspect bugs that won’t be acknowledged by the vendor. With open-source software that frustration goes away as we can literally look at the code to find out how it works, as well as improve the product and increase our knowledge.

Operating Wireshark is very easy. Once installed the program is executed and the network interface selected from the intuitive GUI. Depending on the configurations chosen during installation there may be multiple network interfaces available, including USB connections. Start the capture by selecting the Ethernet interface and clicking on the record button – the screen will soon fill up with all the network traffic being presented to the Wireshark server.

Once a sufficient amount of data has been captured click on the “stop capture” button on the tool bar and analysis of the data packets can begin. By clicking on the arrows at the beginning of each packet, we can drill further into the data to find out what is happening in the network and how it is working.

The hex-viewer window even allows us to look at actual data within the packets. On a busy office network, it soon becomes apparent that some software is not as secure as it might first appear, especially when the passwords are sent in unencrypted open text mode.

Filters can be selected during capture mode to look for specific packets, either by protocol, type, or address. This makes Wireshark a fantastic tool and captures can be streamlined to find a problem and saved for off-line analysis using Wireshark’s edit tools.

Broadcast engineers must understand what is going on inside an IP network to make sure the strict timing constraints we work to are respected, even more so than the network administrator. Wireshark is the ultimate network training and diagnosis tool and should be understood by every broadcast engineer wanting to excel in the IP domain. But expect a lot of resistance from the network administrator when you turn up with Wireshark.

Other Monitoring Systems

One interesting aspect of network monitoring is understanding how to access the network data. Pulling out a patch cord from a router or switch port could result in the network removing the traffic from that link and sending it on another route. This is usually the case with multipath networks that exhibit high resilience.

Routers and switches also have their own network monitoring tools that allow system administrators and network engineers access so they can better understand what is going on at a flow level.

OpenFlow is a service that resides in the switch or router and is provided by the vendor. Each device maintains a table of flows based on the source and destination IP addresses to provide each flow with a unique identifier. OpenFlow compares each IP packet to its table entries and either updates the IP packet counters or adds a new flow to the table when packets enter or leave the router or switch. As the packets flow through the router or switch, the counters increment their table entry so that a table of byte counts, packet counts, durations, datarates and flow states and types can be recorded. A separate and centralized network controller interrogates these tables, through an API, and can determine the characteristics of the flows in each link.

Alongside control protocols like OpenFlow, statistical analysis frameworks such as NetFlow, IPFIX and sFlow, maintain a broad set of statistical registers that continually track the status and values of buffer utilization, interface throughput, microburst activity and error conditions. Statistical analysis of these samples allows system and network administrators to detect congestion patterns, identify heavy traffic sources, observe protocol behavior and compare this against latency to determine if queue build up or link contention is occurring.

Control plane systems, where Software-Defined Networks excel, can determine precise flow level events, while statistical analytics provide trend detection and capacity insights. In essence, both OpenFlow and NetFlow expose flow information, but OpenFlow entries define how packets should be processed, and NetFlow records report how packets were processed.

As well as determining how efficient a network is operating, and where any datarate pinch points may be occurring or about to occur, the data patterns provided by OpenFlow and NetFlow can also indicate threats from DoS attacks or unexpected traffic that may be indicative of hostile intrusions.

Understanding how networks operate goes far beyond routing and resilience, and a whole plethora of deep network sample records and statistics are available that can be analyzed on- or off-line to determine the efficiency, reliability and security of a broadcast network.

The leading suppliers of network switches to the broadcast industry provide a software stack of network monitoring and observability tools. Stand-alone commercially available broadcast controller, orchestration and observability platforms also offer sophisticated tools with operator friendly interfaces.