How to run WIRESHARK

I’ve been asked quite a few times to help with network issues, and my FAVORITE tool for protocol problem detection is Wireshark.

I’m going to write this tutorial to instruct folks how to run the tool.  Hopefully it’ll come as a handy reference.  

And, if you’re at all curious about what’s going on inside your network, this tool will show it to you.

First, install Wireshark on the server that is sharing your media (this is for Windows / Linux Workstations, not NAS.)  Wireshark is a tool available HERE.   When I started in this business, “Sniffer” software cost THOUSANDS of dollars per year to own.   This is much better, and it is FREE.

Follow the installation instructions located on that website.

When all is installed and ready, follow these steps:

Shut down ANY OTHER network applications (Browsers, E-mail, ANYTHING that is using the network except for the server itself) and RUN Wireshark.

Select CAPTURE / INTERFACES:

193i8814A399C8227B4D

Find the line that lists your ACTIVE ETHERNET INTERFACE.  On my example, it’s pretty obvious, since I only have a single interface.  Click START, and you’ll be returned to the main window, which may now start to get very busy with “Packets” being displayed:

If you’re at all curious, what *I* see immediately in the window are:  Spanning Tree packets coming from my Verizon FiOS ActionTec router (every 2 seconds), some FiOS DVR traffic, the yellow packets are NetBios NAME adverts for a server called NEPTUNE, and some Windows 7 DLNA Media Server traffic.

Go to your WD and REBOOT it.

Wait about 1 minute after the reboot, then go to the NETWORK SETTINGS screens and note the IP address of the WDTV.

Select the NETWORK SHARES icon (the one that doesn’t work.  :smiley:

Go back to your PC and do CAPTURE / STOP.

Do FILE / SAVE and save the file to your computer.  If I’m working with you on an issue, I’ll ask you to send it to me via FTP to one of my servers.

For the sake of discussion, let’s look at how the WDTV discovers WINDOWS Shares.  

In the Filter box at the top, type “browser” (without quotes) and click APPLY.

This will now display only Browser-related SMB Protocol packets.   SMB is the protocol by which the WDTV (and Windows computers) talk to each other, and Browser packets are how the systems discover one another on the network.

Now we see, in order:  

Packet 2 says “LS-FRONT” is the Master Browser.  You can’t see it on this screen, but it also says it’s the Master for a domain called “ROUTERS.”  I keep my routers (which are DLNA servers) in their own group.

Packet 3 is from the same router, LS-FRONT, advertising the EXISTENCE of a Workgroup named ROUTERS.

Packet 31 is a host called SATURN making itself known.  

Packet 215, 790, 5616 and 6563 are all from a router called LS-BACK advertising itself to the workgroup

Packet 1430 is a host called NEPTUNE making itself known.  Neptune is actually the server that’s running WIRESHARK.

Packet 5764 is “WDTVLIVEMB” advertising itself after bootup.  

Packet 6565 is the MASTER BROWSER advertisement from my NAS, BIGNAS1

Packet 6566 is also from BIGNAS1, advertising the Workgroup “WORKGROUP.”

Note: The server capturing this data, NEPTUNE is NOT the Master Browser.  If it were, we’d see LOTS more data, because the Master is, well, the Master of the workgroup.

Note that these packets are all “Broadcasts.”  They are visible to EVERY SYSTEM on the network (the address 10.0.0.255 means “All IP Hosts on network 10.0.0.0/24”)

This is all NORMAL.  This is how things should work.  The masters are advertising themselves, and the PCs and WDTV are making themselves known and everyone’s happy.    In the next post, I’m going to FORCE my server to be the Master Browser so we can see the additional detail.    I’m going to do this by SHUTTING OFF Every other server.  Hopefully, when I start things back up, they don’t “Steal” the browser status away from it.

1 Like

Part 2

Alright.   I shut off EVERYTHING except my server, then re-started the WDTV.  

Here’s what we have so far:

Packets 147 and 148 are actually the SOFT Shutdown of BIGNAS1 before it powers off.  That thing is so smart, that before it goes down, it sends out an announcement saying “I’m gone!  I’m no longer doing ANY of the functions I was doing before,” including revoking its right to be MASTER.  It sends, in the SMB Protocol section, a Server Type of 0x00000000, which means, “I am doing NOTHING server-related now,” then turns the power off.

But note:  We don’t see ANY other Master annoucments for the workgroup.   (We still see LS-FRONT, but that’s in the workgroup ROUTERS.   Every WORKGROUP has its OWN Master, and LS-FRONT is that.   It will NOT be the master for the WORKGROUP workgroup.)

And guess what?  Right now, my WDTV CANNOT FIND ANY SERVERS!   

This is a weekness in Windows networking.  If too many machines go down too quickly, it takes up to 15 - 20 minutes for a new election to take place.  Meanwhile, there’s no meaningful way for the WDTV to find the server right now.  So we have to wait.

A long time.  If I were to reboot NEPTUNE right now, chances are it’d be the Master, but I want to wait and see how long.  

The answer is 23 minutes!   Neptune “Timed Out,” meaning it figured out something was wrong and initiated a REQUEST to find a master browser (the highlighted packet.)  Getting no response, it sends 3 more.  After getting NO response for about 5 to 6 seconds, it then initiates an “Election” to nominate a New Master.  By the end of packet 7137, the election is complete, and Neptune is the winner.  It advertises itself ast he MASTER now in packet 7222.

At that moment, the WDTV was now able to find the server.

So, let’s see what happens next.  I’ll REBOOT the WDTV (and start a fresh capture) to show how the WDTV finds the server.

This time, I’m setting my filter in Wireshark to “smb or nbns” which means I want to see only SMB traffic or “NetBios Name Service” stuff.

So, the WD talks for the first time in packet 285, with a “Name Query” looking for the owner of the name “__MSBROWSE__”  Basically, it’s asking EVERY system out there, “Who’s the master browser?”  It sends this request to that special Broadcast address of 10.0.0.255.

Neptune IMMEDIATELY responds with a “Query Response” saying, the “Master Browser” is named “NEPTUNE” and you can find it at IP address 10.0.0.8.

Note how ALL the remaining packets are now sent directly between 10.0.0.11 and 10.0.0.8.   Lot’s of stuff happens real quick in alternating black / yellow lines:

The WDTV Asks the master, “Ok, what ARE you can what services are you providing?”

NEPTUNE responds with: I’m a WORKSTATION in the WORKGROUP workgroup, I’m a SERVER in the same, I won the BROWSER Election, I am currently the Master.   

Now the server appears in the list on the WDTV.

In packet 639, I’ve pressed the button to actually view the shares on the WD, and it’s doing fine getting all that data in the rest of the stream.

That’s it!  Any questions?  There will be a quiz later.  :)

2 Likes