Alteryx Designer Desktop Knowledge Base
Definitive answers from Designer Desktop experts.How to Collect Wireshark Traces
This is a guide on how to capture a network trace using a 3rd party tool called Wireshark. Wireshark is a network protocol analyzer used for troubleshooting and analysis.
Prerequisites
- Alteryx Designer
- Versions all
- Wireshark
Procedure A - Download and Install Wireshark
Procedure B - Recommended Customizations
Configure Wireshark to Show the Delta Time
Delta time is the amount of time between displayed packets.
1. Go to Edit > Preferences, select Appearance - Columns on the left, and click the plus (+) button at the bottom.
2. Name the title "Delta Time" and change the type to "Delta time displayed". Feel free to drag it next to the time column for a side-by-side comparison.
Creating Coloring Rules
Coloring rules help highlight certain filter criteria displayed in the trace.
1. Go to View > Coloring Rules.
2. Click the plus (+) button at the bottom and give it the desired name and apply a filter command.
For example:
Name: TCP SYN | Filter: tcp.flags.syn==1
3. Click the Background button at the bottom and select the desired color and click OK.
4. Click OK to save the coloring rules.
Creating Shortcut Buttons
Creating custom buttons will help apply filters that are used frequently for troubleshooting without needing to type them in manually.
1. Click the plus (+) button to the right of the filter bar.
2. Type in a name for the button in the Label field and type in a filter command in the Filter field and click OK. The new button will be to the right of the filter bar.
Procedure C - Configuring to Start a Trace
Use the settings below to start the trace when replicating the issue.
1. Go to Capture > Options.
2. Configure the following within the Capture Options window:
Input Tab
a. Click the Manage Interfaces button and place checkmarks on the interfaces to monitor. (i.e. Wi-Fi). HINT: When Wireshark is first opened, you'll see a tiny graph like a heartbeat monitor of any detected activity.
b. Ensure "Enable promiscuous mode on all interfaces" is checked to allow the adapter to capture all traffic and not just traffic destined for this workstation.
Output Tab
a. Capture to a permanent file - Click Browse to set a location where the logs are saved using a desired name with the .pcapng extension.
b. Leave output format to pcapng.
c. If Wireshark needs to be left running capturing data for a long period of time due to an intermittent issue, check the option "Create a new file automatically" and check the box and configure so it's set to "after 10 megabytes". This will help to keep the trace file small and to only focus on the file of when the issue occurred.
Optional: Check the box "Use a ring buffer with n files" to limit the number of total files created and while still monitoring the older files will be overwritten.
Options Tab
a. Update list of packets in real-time: Un-check this option if the problem that's being investigated is occurring on the same workstation as where Wireshark is running.
b. Automatically scroll during live capture: Wireshark will scroll the window so that the most current packet is displayed. Check this option.
c. Show capture information during live capture: Set this option to be able to view the count of packets being captured for each protocol. Check this option.
d. Resolve MAC Addresses: Check this option.
e. Resolve network names: Check this option.
f. Resolve transport names: Check this option.
3. Click the Start button to start the capture.
4. Replicate the issue. After the issue has been replicated, stop the capture using the red square in the upper-left corner.
5. Locate the file(s) with the timestamp of when the issue occurred and it's recommended for a network team within your organization to review and analyze. If planning to send the trace to Alteryx Support, please compress (zip) and upload the file to Support for analysis.
NOTE: Do not email any pcapng files to Support. Ensure an SFTP or Alteryx Drop site has been established with Support. It's also recommended to password protect the zip file.
Tips and Tricks for Reading Wireshark Traces
Useful Display Filter Commands
| Filter Command | Description |
|---|---|
| tcp.analysis.flags | Noticeable aspects of the current packet that will show that potential problems are detected. The definition of these flags can be found on the Wireshark docs. |
| tcp.flags.syn == 1 | Shows all TCP SYN. SYN (synchronize) is a TCP packet sent to another computer requesting that a connection be established between them. If the SYN is received by the second machine, an SYN/ACK (acknowledge) is sent back to the address requested by the SYN. Lastly, if the original computer receives the SYN/ACK, a final ACK is sent. |
| ip.addr == <ip_address> && tcp.flags.syn == 1 | To isolate the traffic between particular sources in the packet capture and to shows all the TCP streams initiated by that source IP. |
| tcp.port in {53 139 445} or udp.port in {53 137 138} or icmp | TCP/IP Networking, NetBIOS, DNS zone transfers ports, and networking devices. |
| !(eth.dst == ff:ff:ff:ff:ff:ff or arp or cdp or lldp or stp) | Removes the "chatter" by removing non-essential protocols in the view. Use the && to combine filters. |
Using the right-click features to help build filters
- Conversation Filter > Ethernet, IPv4, TCP will show all the conversations between the selected source and destination of the packet selected either by the Ethernet MAC Address, version 4 IP address, or by the TCP ports; respectively.
Apply/Prepare as Filter will either build and apply the filter with the proper syntax when right-clicking any area of the trace or build and prepare a filter without applying it and provide a preview of the filter. There are options to select, not select, and, etc., and build the syntax within the filter bar.
Common Indicators of Network Latency
TCP Dup ACKS usually means there is a gap in the received sequence numbers that implies the loss of one or more packets in transit. Usually seeing a lot in a row means the Server machine hasn't caught up yet and the client source will keep sending Dup ACK, increasing the ack number, until a TCP Fast Retransmission is sent by the Server indicating it caught up to the missing Sequence number. Over time this adds to the overall network overhead.
Putting packets into context to see delays on a Server
1. Pick any row in the trace.
2. Go to the Packet Details window and navigate to Transmission Control Protocol > Timestamps.
3. Right-click on Time since previous frame in this TCP stream > Apply as Column.
4. You can rename the column by right-clicking the column to TCP Delta Time as this will display the time between packets.
5. Sort by TCP Delta Time and go to the last packet. The green arrow button in the toolbar jumps to the last packet.
6. Look at the source and destination IP and confirm which is the Server. If any source server IP show long TCP Delta Time values or repeated high values, then right-click the packet row > go to Conversation Filter > TCP.
7. Sort by the number (no.) column to put the packets back in order.
8. This will help see the story in context. In the example below the source IP (Server) takes about 8 seconds to send 45 bytes of data (TCP Segment Len) to the client destination for every packet, which can add up over time.
Additional Information
