Well, I'm fresh back from a short vacation down in Argentina and I find myself working on a problem today that required the use of a protocol analyzer or "sniffer". It got me to thinking about the fact that many network administrator's today have never actually taken a packet trace or analyzed a packet. Furthermore, when the need does arise, many of the people I deal with don't really know how to get started.

So, with that in mind, here are few things to keep in mind if you find yourself in that situation...

Head Geek's Top 5 Things to Remember about Analyzing Packets

#5 - Don't assume that the answer is in the packet. Remember the top 3 network troubleshooting steps - check the cable, check the cable, check the cable.

#4 - If you're going to go looking at packets, use Wireshark. You can download it for free from wireshark.org. It's the best protocol analyzer out there - period.

#3 - Remember that with today's ethernet switches you have to mirror (span) the data from the port that you want to monitor to the port where your analyzer is connected. A few of us old timers keep a spare 4 port ethernet hub laying around for cases where reconfiguring the switch isn't convenient...

#2 -  User capture and view filters to limit the number of packets that you have to look at. For instance, if you're troubleshooting a website performance issue you can probably filter everything out that's not to/from the client machine and the webserver and everthing that's not to/from TCP port 80.

#1 - Combine the data that you get from looking at the individual packets with the data that you get from investigating packet flows leveraging a technology like NetFlow. If you don't have a Netflow appplication, you can download a free evaluation version of the SolarWinds Engineer's Toolset and Orion NetFlow Traffic Analyzer from the SolarWinds website. The evaluation versions are fully functional and work for 30 days.

Packet sniffing isn't for the faint of heart but I've solved some problems that were real buggers with this method. If you've got some cool stories of issues you've solved after investigating the packets post a comment here and I'll send you a SolarWinds T-shirt.


Flame on...
Josh