Cable Troubleshooting Example

 Another job and another example of an Ethernet coupler causing challenges.

In this case, we upgraded some old 10/100Mb switches to 1 Gb switches. As part of my methodology, I typically get all the devices connected in, make sure everything is up and running, then clear the port statistics (when possible), check the ports for speed/duplex and errors after a minimum of an hour or so of operation.

You can do this via CLI, web interface, customized scripts or SNMP. As long as you can reliably collect the data, you are in good shape. Don’t forget to document how you gathered the data, date, time, and collection period.

In this example, I noticed the connection between the switches was running at 100Mb full duplex which was odd since both switches have 1 Gb ports. I grabbed my cable tester, but as you will see in the video, this isn’t a requirement. Tested from the tester directly connected to the switch ports and both tested at 1 Gb full duplex. Then I used the existing switch-to-switch connection with the cable tester and it came back as 100 Mb full duplex. Ran a TDR and saw that there was a spike midway through the cable, indicating the cable has been repaired or reconnected in some way. I went for a walk and Bingo!, an inline Ethernet coupler. Looked pretty old and no one knew it was there because "everything worked fine".

I didn’t have a coupler to swap it out with, so I used an unmanageable gig switch since they had a few laying around as a test point. I disconnected the coupler and connected the cables to the switch. The 1 Gb port lights on the switch lit up and I confirmed on both switch ports that the corresponding ports were now 1 Gb. We cleared the port counters, let the traffic run through the port as we cleaned up and labeled equipment. We came back an hour later and confirmed that the port was running fine with no errors.

As I said in the video, I did not recommend they leave the switch in permanently, especially this one being a switch-to-switch port. I told them they basically have 2 options; replace this switch with a better manageable switch or pull a new cable run.

Wireshark File Merge

 For those of you familiar with my articles, who worked with me, or who attended any of my sessions, you will quickly notice that I am not one for long flowery speeches. In my classes, I don’t start with the history of technology or networking and pretty well dive right in.

When I’m working on-site, I don’t spend a lot of time in meetings discussing stuff. As far as I’m concerned, my time is limited, just give me someone to work with, and we can chat while working.

This time, I was updating my Wireshark course material for a corporate training session and thought I would share some tips or tricks along the way.

This one is simple, 2 ways to merge Wireshark trace files.

WiFi or LAN Traffic?

 I was working with a client on their proposed new laptop build and they brought up the topic of WiFi vs Lan. For those who are not familiar, we were wondering how does the laptop behave if it is connected to the network via WiFi, and then you connect the ethernet port, docking station or similar dongle.

Since I know these guys for a while, we can be frank and candid. I told them “Listen guys, I don’t want to spend time looking into theories that you may have ‘heard, read about or the vendor told me.” My question was “Have you personally tested this out?” The short answer was “No”.

I then said “Great, lets quickly test for ourselves and get it over with.” This was met with the typical reasons why they don’t have the “Time to do this”, etc….. After about 2 minutes of listening to them argue amongst themselves, I interrupted and said “The time you spent avoid this, could have easily been spent testing.”. I explained that the test will only take a minute, maybe two.

In the following video I show you exactly how we did it and the odd Wireshark tip along the way.

Wireshark Windows Adapter Issue and Fix

 I was trying to capture packets from my Network Critical SmartNA packet broker and only saw broadcast packets.

At first, I blamed the packet broker since I assumed I knew my laptop and Wireshark so well. Do you know what they say about the word 'assume'? ;)

I then set the packet broker back to factory settings and reconfigured it twice with no change. Do you know what Einstein said about insanity? He said, “Insanity is doing the same thing over and over and expecting different results.” Yup, that was me.

I then took a look at Wireshark and noticed the adapter "promiscuous" check box was not checked. When I checked the box and tried to start a capture, I got an error message saying "The capture session could be initiated". "Please turn off promiscuous mode for this device."

After some thought, I realized the last thing that changed was that I updated Wireshark/Npcap. So I uninstalled my current version of npcap, went to the npcap website, downloaded an older version and installed that one.

Now everything works just fine and i can finally move on to troubleshooting the original problem.

Pros and Cons of Packet Slicing

 Whenever I’m working with a client on packet analysis, I always ensure that I cover packet slicing concepts. It doesn’t matter if I am teaching, troubleshooting or baselining, I believe that packet slicing is an important part of packet capture.

One school of thought is to slice after the fact, which you can do with Wireshark’s editcap utility and the -s option and now you have the original trace and a sliced one. Unfortunately, depending on the size of the trace, you might find this a bigger job than you think and now you have to ensure you keep track of 2 files.

In this video I cover why, and when, I packet slice. I prefer to slice ahead of time, especially if the captured packets might contain sensitive information. In this video I show you how I configured packet slicing in Wireshark and using the web interface on Network Critical’s SmartNA XL (https://www.networkcritical.com/smartna).

Keep in mind that under specific conditions, some capture devices (laptop and desktops) may drop full sized packets and slicing is a way to mitigate that problem. I would encourage you to test your packet capture laptops and desktops and determine when, or if they drop packets using various frame sizes and rates.

If you need to figure out to determine a specific slice offset, check out my other video “Figuring Out Where To Slice a Packet Using Wireshark” https://www.networkdatapedia.com/post/2018/02/05/Figuring-Out-Where-To-Slice-a-Packet-Using-Wireshark