I'm often asked, what is the best way to setup a dedicated laptop for Wireshark? If the world were perfect, I'd love to see them purchase a long term capture device. However, not everyone has the budget. Here are the top three things to configure on your capture laptop, especially if it has been mothballed since the last issue.
Shh!! No talking!
First and foremost, turn off TCP/IP on the box before you start capturing. It doesn't matter if it is Windows, Mac or Linux, a sniffer should not talk while it listens. The goal is to capture as many packets as possible. You may be running at full-duplex, but sending packets takes processing cycles that you want to reserve for the capture process. Many people create a capture filter for the box's MAC address, and just filter their traffic out. Why not take that next step and just turn off TCP/IP? Then you don't have to worry, "did I set that filter?" Or worse, start looking at a pcap and wonder, "what IS all this traffic?" Only to realize it's your own.
The Ethernet Properties dialog box has highlighted the items you want to turn off. IPv4 and IPv6 were already discussed. The next two have the capability to buffer and/or rearrange the order of the packets. That is great when the laptop is set up for a User, but when you're capturing you want every packet to be piped to Wireshark in the exact order it happened. Otherwise, your timings could be mangled which makes it hard to troubleshoot a slow response issue. QoS Packet Scheduler is for prioritization. Microsoft Network Adapter Multiplexor Protocol provides network adapter load balancing and failover.
Match Up the Clocks
However, turn IP back on when it is idle so it can get time updates. Having the same time as the rest of your network devices is one of the most important settings on your capture laptop. It doesn't matter if you use NTP, Windows Active Directory, or something else. That laptop needs to match everything else. The time doesn't even have to be correct. Yet when you are going through a log file and trying to match the errors to the packets in pcap, all that counts is that they use the same time reference.
No Zzzzzz!
Finally is a setting that has kicked me in the teeth, sleep/hibernation. Turn that off permanently. Wireshark writes the packets to a temp file, and during sleep/hibernation the hard drive and the network adapter will pause. You think you are capturing away in the data center, only to find the box went to sleep just before the issue happened again. You think you caught it, but it had stopped capturing 30 minutes ago.
I hope these tips will help you when you are setting up your own dedicated capture laptop. Happy sniffing!
Photo by Erick Cerritos on Unsplash
Betty DuBois is the Chief Detective for Packet Detectives, an application and network performance consulting and training firm based in Atlanta, GA. She has been solving mysteries since 1997.
Experienced with a range of hardware and software packet capture solutions, she captures the right data, in the right place, and at the right time to find the real culprit.
Betty presents each year at SharkFest, the Wireshark Developer and User Conference, and is active in the Wireshark community.
Using packets to solve crimes against the network and applications is her passion. Teaching others to do the same is her calling.
Do you have a Packet mystery that you'd like Betty to solve? How about a team who needs training on how to catch the culprit themselves? Contact her at bettydubois.com information. Your mystery will be solved in no time.