Wireshark; what is it good for

Wireshark is a packet protocol analyzer that is free for download and runs on Windows, Linux, BSD, OS X and Solaris.  In the evolving broadcasting studio, computer networks are the backbone of the facility. Not just on the office side of the house, but also in the broadcast origination side as well. Today, almost everyone uses some type of computer automation system running on a network. In addition, new technologies such as, AoIP consoles, VoIP phone systems, audio and video routing, remote control, off site monitoring, audio processing, etc continue to develop.  Because of this, more and more broadcast engineering work is falling into the computer and networking realm.

Like anything else, networks can fail.  Failure modes can originate from both the physical side, e.g. wiring, connectors, patch bays, network interface cards or the software/protocol side.  Being able to diagnose problems quickly and take remedial action is important.  On the networking side, if a physical problem has been ruled out, then the problem exists with a protocol.  That is where Wireshark becomes useful; it takes the guess work out of networking protocol troubleshooting.

Wireshark packet protocol analyzer has the following features (from their website):

  • Deep inspection of hundreds of protocols, more are in development
  • Live capture and offline analysis
  • Standard three-pane packet browser
  • Versions available for Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and others OS
  • Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
  • Filtering by protocol, IP address, MAC address, frame type, sequence number, etc
  • VoIP analysis
  • Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and others
  • Capture files compressed with gzip can be decompressed on the fly
  • Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)
  • Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
  • Coloring rules can be applied to the packet list for quick, intuitive analysis
  • Output can be exported to XML, PostScript®, CSV, or plain text

Here is a quick video with some tips and tricks on using Wireshark:

A few things to keep in mind with the physical connection.  Connecting a computer to a switchport will establish collision domain between the switchport and the computer which is also called a network segment.  The computer NIC will see all traffic on that collision domain and all broadcast traffic on the network or sub network that the switch is attached to.  If there is a suspected problem with a particular network segment, the Wireshark computer needs to join that collision domain.

Creating a network segment tap with a hub
Creating a network segment tap with a hub

This can be done most simply by installing wireshark on the host in that domain. Alternately, a hub can be used to add another host to the collision domain.  Or, if it is a managed switch, there may be a provision to send all traffic on the switch out of one designated port.  This is called ‘port mirroring’, ‘port monitoring’, ‘Roving Analysis’ (3Com), or ‘Switched Port Analyzer’ or ‘SPAN’ (Cisco).

Network diagram with managed switch
Network diagram with managed switch

A quick tutorial on what to look for when using Wireshark, Part A:

Part B:

And briefly, that is how it is done.  There are many more videos on youtube and elsewhere if interested in learning more.

I think I’m in love

After strenuously resisting, I have began to see the beauty of on line radio.  I have been a short wave radio listener since I was a wee young lad.  After many years of declining listening options, I have finally broken down and started listening to radio on line.  I am not disappointed.  Because I need my main computer to do things on, I decided that I should have an internet media computer.

I took an old dell PC and repurposed it as an online tuner.  This particular unit is rather old and once belonged to my mother.  It is a P4 2.8 GHz with one gigabyte of memory and had a bad hard drive.  It was completely submerged for almost 24 hours during the flooding following Hurricane Irene in 2011.  After examination, the BIOS battery was corroded and dead, there was some dirt and junk in the bottom of the case, but otherwise it appeared functional.  Even the DVD/CD drive worked.

Dell Dimension E310 computer
Dell Dimension E310 computer

The 19 inch Dell monitor was found at the dump.  It had the classic flashing power button with no picture problem.  I took it apart and found a bulging 1000 µf 25VDC electrolytic capacitor on the power supply board.  Replaced that and a few other suspicious looking electrolytics and it works as good as new.  There are several youtube videos on how to get a LCD monitor apart which were very helpful as it is not at all intuitive.

Dell 19 monitor, found at dump
Dell 19 monitor, found at dump

Thus, cleaning and repair work completed, I purchased a new 80 GB SATA drive and a new CR2032 BIOS battery then got started.  Somewhere around here, I have some Windoze XP CD’s which I was going to use to reload the operating system.  Then I thought, what fun is that?  Instead, I downloaded the latest Ubuntu ISO and made a live USB device.  I have messed around with Linux before; it is fun and full of geeky wonderfulness, that is true.  Ubuntu is a whole different ball game.  The software packages included in the 12.04 distro are pretty impressive.  It is very easy to install and get the feel for with out worrying too much about command line issues.  All in all, highly cool and highly recommended.

The one thing I will say about Ubuntu, it is processor intensive.  With 2.8 GHz of single core blazing speed, some of the radio station stream players were running 95-100% processor utilization.  Many of these are the pop up web browser units with the fancy spectral display.  The work around is to go someplace like tunein.com and grab the .pls (playlist file) stream from there.

Screen shot, Ubuntu desktop, Audacious media player
Screen shot, Ubuntu desktop, Audacious media player

This is the Audacious media player streaming the WXPK HE-AAC stream found here:

http://provisioning.streamtheworld.com/pls/WXPKFMAAC.pls

I also listened to the BBC for a while, which was a pleasant change of pace.

Once the .pls file is in Audacious as a play list, just click on it to start streaming.  You can save as many .pls files as you want, thus Audacious can keep a list of your favorite radio stations.

This is a project in development.  The family is away on vacation and left me home by myself for a week.   Next up, I think I will get a 54 inch LCD screen and a VGA to HDMI converter.  Then, this will become part of the media center for the house, replacing the old CRT TV set and DVD player in the living room.  At that point; goodbye cable TV.  Boy are they gong to be surprised.

Eventually, the internet WILL be censored

Congress, is yet again contemplating a cyber security bill, this time called CISPA.  This one has some worrisome privacy implications for the general internet user.  I recall, not too long ago, another such measure called SOPA/PIPA which created a huge uproar and was voted down.  For Congress and its corporate sponsors, this development was just a slight inconvenience when applying the “if at first you don’t succeed, try, try again,” legislative method.

Not mentioned in this particular bill is the internet kill switch, which exists now in one form or another, and the unofficial back doors into operating systems and routers.  Those things are in place but their use is not codified.  The internet can be monitored, user data can be stored indefinitely and it can be restricted or switched off at a moments notice.  That is the reality of the world we live in.

This is why a vibrant, independent radio broadcasting medium is important.  After doing some numbers crunching over the weekend, I came upon some pretty interesting data points:

  • Large and medium large (over 30 stations) group owners account for approximately 2,300 AM and FM stations
  • NPR affiliated stations number about 900
  • There are 4,736 AM, 6,603 commercial FM, 3,917 educational FM and 802 low power FM stations licensed as of March 31, 2013.
  • There are 77 AM and 178 FM (not counting translators) stations known to be silent

Therefore, approximately 3,200 of the 15,803 stations on the air are controlled by major corporate interests or media conglomerates, the remaining stations are owned by medium small groups (less than 30 stations) or individuals.  Those figures create an interesting situation when discussing the future of radio.  What does the majority of owners and listeners want?  Ask the market.

Category 7 Cable

As data transfer technology progresses, so do cable types.  Category 6 UTP copper cable is commonly used today in ethernet installations where 1000BaseT (or gigabit ethernet) systems are required. Cat 6 cable has a certified bandwidth of 250 MHz (500 MHz for Cat6a). Category 6 cable is a newer version of Category 5 and 5e cable wherein the wire pairs are bonded together and there is a separator to keep each pair of wires the same distance apart and in the same relationship to each other.  The four twisted pairs in Cat 6 cable are also twisted within the overall cable jacket.

Category 7 cable is much different from its predecessors.  It has an overall shield and individual pairs are shielded:

Category 7, STP ethernet cable
Category 7, STP ethernet cable

Shields on individual pairs are required to reduce cross talk (FEXT, NEXT). It also requires special shielded connectors called GG45 plugs and jacks.  Pinouts and color codes are the same as gigabit ethernet (Category 5e and 6) however, Category 7 (ISO 11801 Class F) jacks and plugs also have to contacts on the corners of the connector or jack.  This allows better shielding.  A small switch in the jack senses when a category 7 type connector is inserted and switches to the corner contacts, thus keeping jacks and patch panels backwards compatible with Category 5/6 cables.

Category 7 GG45 connectors, jack and plug
Category 7 GG45 connectors, jack and plug

Category 7 cable is rated for 600 MHz bandwidth (1000 MHz for 7a) which translates to 10 GB ethernet.  This was previously the domain of fiber cable.  Copper cable has some advantages over fiber; lower propagation delays, requires less complicated equipment, copper is less expensive than fiber and more durable.  It is nice to have the flexibility to use copper cable on 10 GB ethernet for runs of 100 meters or less.  Longer runs still require fiber.

Category 7 and 7a cable looks remarkably similar to the older Belden multipair “computer cable” pressed into service as audio trunk cable seen so often in older studio installations.