Using the Wireshark Commenting Feature

Posted on June 18, 2013 by Paul Stewart, CCIE 26009 (Security)

Somewhere around version 1.8 a commenting feature was introduced in Wireshark. When used with the pcapng file format, the comments are saved within the capture for later use. This feature can be beneficial in scenarios where you may be working with a third party and need to communicate your interpretation of a capture. Additionally, this is a great way to document a capture for future use by you our your colleagues. This article is an introduction and quick look at how the Wireshark commenting feature can be used to save time when documenting packet captures.

Prerequisites

The first thing to be aware of is that this feature requires the pcapng file format. This file format allows for saving the comments as additional metadata. There are a few ways to configure Wireshark to use the pcapng format. My recommendation is to change the preferences in Wireshark to default to capturing in pcapng format. There’s really no downside to doing this unless there is a need to read the file in an old version of Wireshark or Ethereal.

Having set the capture format to pcapng, the best way to look at the commenting features is to capture some traffic. For this example, I have captured some traffic to and from Google’s DNS server (8.8.8.8).

Just a Boring Capture

Wireshark Comment 1

Commenting the Capture File

The first thing to notice at the bottom left side of the Wireshark window is a notepad symbol. Clicking on this icon will bring up an annotation window. Notes entered here are not specific to a packet, but general notes that you can add about the entire capture. The notes can be viewed in the future by opening the dialog box back up or by viewing summary page (Statistic->Summary) for the capture.

Comment Icon

Wireshark Comment 2

Capture Comment Window

Wireshark Comment 3

Since the capture comment is not specific to single packets, it is only moderately useful. This particular feature can be used like a text document embedded into the capture file. While it can be useful, it is far from an Earth shattering new feature.

Commenting on Packets

What I think is more useful is the ability to annotate single packets. In our example, we will annotate a couple of packets and look at some ways to find and view these comments.

To add a packet comment, simply right-click on the interesting packet. I’ll comment on an ICMP Echo and a DNS query.

Adding a Packet Comment

Wireshark Comment 4

Wireshark Comment 5

I also similarly commented on a DNS request to better demonstrate the associated navigation features.

Navigating Commented Packets

To quickly filter the entire capture to only commented packets, the “pkt_comment” display filter may be used.

Wireshark Comment 6

Another way to navigate to the next commented packet is to use the “Find” feature. The quick way to bring up this dialog box is the “ctrl-f” keyboard shortcut. The same “pkt_comment” display filter syntax can be used.

Wireshark Comment 7

Notice that choosing any of the commented packets shows a noticeable green line in the packet detail window. This can be expanded to view the comment.

Wireshark Comment 8

One final way to navigate commented packets is by using the Expert Info dialog box. The easy way to bring this up is clicking on the round circle that is in the bottom left corner of the Wireshark Window.

Wireshark Comment 9

In the Expert Info window, the rightmost tab should now read “Packet Comments: X”, where X is the number of commented packets.

Wireshark Comment 10

Single Clicking an entry in the Expert Info window will advance the main Wireshark UI to that packet. Double clicking the entry will allow the comment to be edited.

Conclusion

Often when working in a capture file, there is a need to transfer knowledge between individuals. Additionally, there is often the need to return to a capture that you began analyzing at a different point in time. These scenarios create the problem of having to reanalyze and to become familiar with the capture again. Written documentation, while helpful, is time consuming, challenging and often isn’t done effectively. Using the commenting tools in Wireshark is a quick and easy way to annotate the interesting packets and attributes found in a capture. This annotation feature can save a significant amount of time for you and your colleagues as they process the file at a different time or setting.

Posted in Certification, General, Network, Technology | Tagged | Leave a comment

SolarWinds Portfolio Overview

Posted on June 10, 2013 by Paul Stewart, CCIE 26009 (Security)

On several occasions, I have mentioned that I spent a fair amount of my consulting career working with small and medium size businesses. While SolarWinds certainly doesn’t constrain their solutions to smaller networks, they are a primary player in that space. I think if many in this space looked at their network management challenges, SolarWinds would typically have a competitive solution. It seems to regularly be the case that I’m faced with two choices when I look to solve network management challenges.while one is putting together some open source homegrown solution, the other choice is often a prebuilt solution from SolarWinds.

One of the things that can be rather confusing is determining what component of SolarWinds suite of solutions fills a particular need. Furthermore, what interdependencies may exist between their offerings. The video below, recorded at Networking Field Day 5, is a discussion that outlines the features of the various network management solutions offered by SolarWinds.

Continue reading

Posted in Blogroll, Events, Technology | Tagged , | Leave a comment

Using Notepad++ to Mirror Cisco ACLs

Posted on June 4, 2013 by Paul Stewart, CCIE 26009 (Security)

Having an occasional need to create mirrored access-list entries, I was seriously considering writing a PERL script to automate this process. Before I really got started on it, I stumbled on a pretty cool feature in Notepad++. This feature basically uses PERL style REGEX to do more sophisticated searches within a document. In addition to this feature, the replace function allows referencing back-referenced strings in the replace field. This article will look at these features in Notepad++ and demonstrate their use to mirror Cisco ACLs.

For those who are less than comfortable creating regular expressions, we will go through a step by step example of what this looks like. Additionally, we will see how to scope the replacement by selecting an area of text. Finally, we will see how we can streamline the execution of this task by using a macro. After seeing how these features can be utilized together to create a solution, you’re sure to have some time-saving ideas for your own organization.

Our goal for this exercise is to mirror two ACLs. We will start out with a named and a numbered ACL that will be mirrored. These ACLs will include things layer 4 ports and log options that create challenges for simple mirroring routines. Continue reading

Posted in CCIE Security, CCNA Security, Certification, Network, Security, Technology | Tagged , , | 4 Comments

Frame Buffer — Upcoming PacketU Articles for June 2013

Posted on June 1, 2013 by Paul Stewart, CCIE 26009 (Security)

In The Queue

  • Using Notepad++ to Mirror Cisco ACLs
  • Cisco Live 2013 Content
  • More Content from Networking Field Day 5
  • Book Review–NX-OS and Cisco Nexus Switching: Next Generation Datacenter Architectures (2nd Edition)

Punted to the CPU

With a planned family vacation, Cisco Live 2013 and regular work challenges, I expect the month of June to be rather busy. I do have some more ideas and plan to announce them as I find time to bring them to fruition.

Frame Buffer articles serve as a way to keep readers informed of upcoming PacketU articles and help keep me on a committed forward moving track. Not all articles will come to fruition, but they are an earnest intention when they are mentioned.

Posted in Certification, General, Technology | Leave a comment

SolarWinds–Kiwi Free Re-released, Launches Firewall Browser

Posted on May 30, 2013 by Paul Stewart, CCIE 26009 (Security)

Until earlier this year, I always kept a copy of Kiwi Syslog on my laptop for general troubleshooting. However when I attempted to download a fresh copy, I noticed it was no longer available from the Solarwinds website. In a April 24, 2013 press release, they announced the re-release of their free version of Kiwi Syslog as well as another free tool that they are calling the “SolarWinds Firewall Browser”.

Recently Announced SolarWinds Free Products

Disclaimer: SolarWinds was a sponsor for Networking Field Day 5. As a result, their sponsorship covered a portion of the cost of my travel and expenses associated with my attendance to this event. This article itself was written without any restrictions or requirement to do so. My opinions on this product are my own and are accurately reflected.

Posted in Blogroll, Events, Technology | Tagged , | Leave a comment

Ruckus on 802.11ac

Posted on May 28, 2013 by Paul Stewart, CCIE 26009 (Security)

Being an attendee at a Networking Field Day event is always a very exciting opportunity. During Networking Field Day 5, I enjoyed the opportunity to learn and discuss products and ideas with vendors and fellow delegates. This particular field day event offered us the opportunity to meet with a wireless only company. This type of session, typically reserved for a Wireless Field Day event, was an overview on wireless concepts, the history of Ruckus, and Ruckus on 802.11ac.

The video below is a portion of the NFD5 session with Ruckus. This particular segment is Sandip Patel’s discussion on the history 802.11ac and how Ruckus is addressing this standard.

Sandip Patel of Ruckus Wireless Places 802.11ac in the History of Wi-Fi from Stephen Foskett on Vimeo.

The thing I like about Ruckus is that they focus on one thing and they do it well. While their focus is wireless, they are well-known for antenna design. They do wireless well by using this knowledge to leverage challenges into unique advantages. As demonstrated by Sandip Patel, the Ruckus engineering staff possess a wealth of wireless knowledge.

Other Ruckus Videos From Networking Field Day 5

Disclaimer: Ruckus was a sponsor for Networking Field Day 5. As a result, their sponsorship covered a portion of the cost of my travel and expenses associated with my attendance to this event. This article itself was written without any restrictions or requirement to do so. My opinions on this product are my own and are accurately reflected.

Posted in Events, Network, Technology | Tagged , , | Leave a comment

Technology Career Site Announcement

Posted on May 25, 2013 by Paul Stewart, CCIE 26009 (Security)

The Packet University, along with John Harrington from The Network Sherpa, would like to announce a new site. The focus of this new site is all about the challenges of getting and keeping a meaningful work in the field of Technology. After reaching out to the PacketU community less than three weeks ago, I learned that John had many of the same ideas and convictions that I held in regards to bridging the gaps between employees and employers. At that point we began building the site that can be found at the url below.

New Site Addressing Technology Career Challenges

John and I have spent a considerable amount of time over the last few weeks generating some initial content, testing site performance and adjusting the theme. I truly hope this becomes a resource that extends both of our communities while providing a unique and valuable information. While this is a new site, we are committed to doing what is necessary to make it a valuable resource for those seeking answers to technology career challenges.

John and I wish to solicit initial and ongoing feedback, comments and ideas. Additionally, we encourage everyone to share this resource with their communities. So check out our set and stay tuned.

Recent Posts from The Tech Interview

An error has occurred, which probably means the feed is down. Try again later.

Posted in Blogroll, Career, Certification, General, Technology | Leave a comment

Cisco Live 2013 – Just Around the Corner

Posted on May 21, 2013 by Paul Stewart, CCIE 26009 (Security)

Cisco Live US is just around the corner. It is actually a little less than 5 weeks from now. For those who have procrastinated and are just now scheduling sessions, there could be some issues with availability. I have been told that Cisco has been expanding the rooms to accommodate the waiting lists, but I don’t know how long this will continue. Although there is a huge list of sessions (something like 700 or more), I picked mine rather quickly this year. My focus for this year is going to be primarily around Datacenter Technologies. This will include Nexus Switches, some UCS and the plumbing that makes all of that stuff work.

Related External Content

Are you attending Cisco Live this year? What types of sessions are you planning to attend? In addition to responding to these questions, feel free to share your twitter account by commenting below. And if you see me wandering around, make sure you take the time to introduce yourself.

Posted in Certification, Cisco Live, General, Technology | Tagged | Leave a comment

Understanding the Cisco ‘configure replace’ Command

Posted on May 14, 2013 by Paul Stewart, CCIE 26009 (Security)

As I prepared this article, my full intention was for it to be a conclusive reference for using the Cisco Configuration Replacement and Configuration Rollback feature. When testing with various IOS versions, I found one key feature did not behave as documented. This feature is invoked with ‘time’ paramater and used to undo changes when the configuration is not confirmed. To say it didn’t behave as documented is probably an understatement. It simply did not work in my lab. Therefore this article is primarily about the ‘configure replace’ command .

In a previous article, we looked at using the ‘archive’ feature to automate the backup of IOS configurations. Having those files saved on an external server has many benefits. One benefit is the ability restore to a previous version of configuration. For example, there could be a need to restore a configuration to the state it was last saved. An obvious method to do this might be to copy the file to the running configuration.

Copy TFTP to Running Configuration

R1#copy tftp://192.168.2.2/R1-1.txt running-config

One serious issue with this is that there may be undesired commands left in the configuration. This is due to the fact that anything copied into running-config is actually a merge. So any commands that are not overwritten by those in the originating file will remain in the running configuration. Another option is to copy the configuration to startup-config and perform a reload. Continue reading

Posted in Certification, General, Network, Technology, Uncategorized | Tagged | Leave a comment

How to Automate Cisco Backup Using Configuration Archive

Posted on May 7, 2013 by Paul Stewart, CCIE 26009 (Security)

The absolute worst time to realize that a backup doesn’t exist is when that backup is actually needed. Although network devices often don’t house critical data like a typical SAN, backups are still a very important part of day to day operations. These backups are useful when a device fails or a configuration needs to be rolled back. This article is about using an often overlooked IOS feature as a method of automating the Cisco backup process. Primarily, this will look into different ways to create device backups using the archive commands.

Although administrators always have the ability to fire up a TFTP server and do a “copy running-config tftp”, this is one of those things that is often overlooked. In the event of an operation outage due to mistake or device failure, not having current backups can prolong the recovery process. Network devices, as key components to a typical business, should have their configuration backed up regularly. Not all organizations have network management solution that is capable of or configured to do this critical function.

As demonstrated in this article, this is a simple way to keep regular backups of IOS configurations. Third party and open source tools often provide the ability to reach into the network device from the outside and copy the configuration to a tftp server or do a backup directly from the output of “show” commands. The feature discussed here as an alternative to other third party solutions, provides administrators with the ability to backup a configuration by invoking manually, on a scheduled basis or when the running-config is saved. Continue reading

Posted in Certification, General, Network, Technology | Tagged | Leave a comment

Gauging Interest of a Technical Career Site

Posted on May 4, 2013 by Paul Stewart, CCIE 26009 (Security)

I’m very seriously considering the launch of a technical career site. This site would be focused on readers who are entering the technical field and those professionals looking forward in their technical careers. The target audience would be the US due to my familiarity, but I believe the information would be useful globally. We would address challenges like getting the first job, interviewing skills, experience, searching for a job, writing resumes, managing people, geography, etc.

My question to the entire PacketU community is this, “Do you believe this would be useful to you and your friends?” I would appreciate any feedback or comments either below or in any of the social networks that you may connect to me through.

I sincerely thank you in advance for your help,

Paul

Posted in Career, Technology | Tagged | 11 Comments

Frame Buffer — Upcoming PacketU Articles for May 2013

Posted on May 4, 2013 by Paul Stewart, CCIE 26009 (Security)

In The Queue

  • How to Automate Cisco Backup Using Configuration Archive
  • Undoing a Change With Cisco Configuration and Change Management
  • Choosing Sessions for Cisco Live 2013
  • More Content from Networking Field Day 5
  • The High Cost of Staying Current
  • The Pending Google Reader Shutdown

Punted to the CPU

I’m still reading NX-OS and Cisco Nexus Switching: Next Generation Datacenter Architectures (2nd Edition). I plan to write a review as soon as I have completed it. I also plan to take the TSHOOT exam soon. Hopefully I can provide some objective feedback on the exam.

Frame Buffer articles serve as a way to keep readers informed of upcoming PacketU articles and help keep me on a committed forward moving track. Not all articles will come to fruition, but they are an earnest intention when they are mentioned.

Posted in Certification, General, Technology | Leave a comment