Wireshark Tutorial // Lesson 7 // Using the Time Column

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right welcome back to the channel here we are lesson seven in the wireshark master class we're gonna talk today about the time column now there's a thousand ways that we can use the time column it's so important when we're doing network analysis and forensics but how can we configure it and really make sense of this very useful column stick around [Music] hey it's good to have you back again my name is chris it's great to have you along in this class with me now in this specific lesson we're going to talk about the time column now the time column is something i use all the time i get it whether we're looking for delays or looking for intrusions or trying to find something that happened at a specific period of time during the day we're going to be using the time column so getting used to how to use it is very important for developing your skill set in wireshark so go ahead and download the trace file that accompanies this video down below and you can file right along all right so here we are in this packet capture now to start off first i'm just going to set a tcp filter just because i don't want the udp stuff i just want to talk about what's going on here from a tcp perspective now over here on the left this is where we have our time column now this is a configurable time column we can set it to do quite a few different representations of time now by default it's going to be set up as a running total of time so the very first packet that comes in that's going to be like a stopwatch that gets started and then every single packet that comes in we find out when in time that packet hit the interface so here i can see if this first packet after i set that filter this is frame number five this happened for just over four seconds into the packet capture and something that i like to do when i'm scanning for delays is i'll just take a quick look down this column and what i want to do is look for large jumps of time so if i'm looking for a slow file transfer or if something is slow on an application and responding that could be where i'm looking for something to jump really far so four to five seconds quickly you're up to nine seconds or whoa all of a sudden i'm at 26 seconds in that time column so that's something that my eye will be used to looking for but what if i wanted to set this time column for something different so for example what if a problem happened at 10 in the morning and i wanted to see exactly when in time this happened so i what i can do is just change this if i go up to the view menu come down to time display format now the time display format always coincides with that time column so if i have that displayed there in this profile then whenever i change this it's going to reflect that column so one thing if i want to see time of day that's where i can simply just come up to time of day i could say date and time of day year day of year time of day second since 1970 january 1st if that's interesting for you but if i go time of day now this time is always going to reflect the time setting of the system that wireshark is sitting on so if i do a pcap here and i've got 1445 and i send this trace file to someone who's two hours ahead of me then this is going to say 1645 when they open it or if i send it to another colleague that's two hours behind me then they could be 12 45 so just keep that in mind if you're crossing time zones with your trace files this is always going to show you with reference to the time zone of the system that you're sitting on that's also why it might be another way or another consideration to think about come down to time display format instead just use utc time and that way we can have a better or more consistent view of across time zones now this is also where we can say second since beginning of capture now by default that's what this time column is going to be set up for now we went ahead and added a delta time displayed so we don't have to continue to have that there but one trick that i do quite a bit when i'm working with time is i like to have this be that running total of time or second since start of capture and what i can do is i can come up to let's just say that first packet up there i'm going to right click it and i can do something called set unset time reference so whenever i want to start a stopwatch on a certain packet and then time the amount of time until another packet this is how i can do that so how about set unset time reference what this does is it just starts that stopwatch and then each packet after i can see with reference to my reference frame so that's pretty useful especially when i'm just wanting to start at zero at the beginning of a tcp conversation like we have here and kind of reset that clock if you will now you can use more than one of those you can come in here and say oh wow i got a get right there so let me just set a time reference on that get and if i select that packet now when i'm dealing with unsecure web traffic it's pretty fun in wireshark there's some cool features here i can see a get went out and on packet 23 i can see the response came back so there's the 200 okay this get goes with this response so now i can see when i set that time reference i can measure the amount of time it took to get that response back and that's because i set that time reference on the get so that's something that i do a lot starting and stopping those stopwatches now i can if i have quite a few of these i can just right click this i can just say unset time reference or if i have a lot of them let's just have three or four or ten of them this is where i can come up to the edit menu and i can say unset all time references and that will reset everything pull off all of those stop watches if you will and bring me back to that running total of time now let's look at one final aspect of time that's really important to consider especially when we're dealing with conversations or tcp conversations that are multi-threaded and that means when i have more than one sin or conversation happening at once and that's what we can see here we see that there's here's three sins and these are all on three different client-side ephemeral ports so what that means is that here's three connection attempts and here i can see those connection attempts be retransmitted and finally i start to see some responses come back so by the time i'm down here i have three parallel tcp conversations so what that means is that my delta time over here stops being super useful just from one packet to the next from this view and that's because i have multiple connections going on at once so that means that this packet here for example packet 20 and i see six milliseconds after it was the next one uh these two con these two packets are on different conversations so this six milliseconds over here is only with reference to another packet that had nothing to do with this whole tcp thread so there's a super useful measurement that wireshark does and that's what i wanted to make sure that you knew about so what i'm going to do is i'm going to come down to tcp and i'm going to expand this up just a little bit there and i'm going to come down to time stamps and check us out time since previous frame in this tcp stream all right so that means that this is context based so from within this conversation this is the time from this packet to the one previous in this thread so that's super useful to have a column i'm going to right click it come up to apply as column and what i like to do is i just like to drag this guy over here so all my times are a nice little row running total of time delta time and then time since previous and that's kind of a long name up there in the header so i'm just going to right click this i can just say edit column real quick and i can just say uh tcp stream steam time something like that right just to shorten that name down just a hair so now check that this out here i've got these are all zeroed because these are the sin that's the big bang that's the start of my timer for that conversation and if we take a look here this packet happened one second after the sin in context all right see i wouldn't have gotten that if i was over here in delta time i did see 752 but that one second really jumps out at me doesn't it and as i come down 281 milliseconds if i come over here to my delta time this is just 30 milliseconds but in context this synack came back 281 milliseconds later whoa that's a much different time that jumps out to me isn't it and as i scroll down this is where i can start to see some of those larger delays so this is a very useful column to have especially when you're looking at conversations several that happen in parallel a lot of times what i'll do if i'm looking at an application has a lot of different simultaneous tcp conversations going on i'll go ahead and bring up the tcp stream time and i'll sort it i'll literally just say sort and i'll jump down to the bottom and i want to look at the larger delays that are in that context that's what i'm going to be looking for when i'm looking for slow now be careful because sometimes when you're dealing with trace files that are really large or have long running tcp flows a lot of times doesn't necessarily have to be long running but a lot of times what you'll see is at the end of a conversation you'll see some type of timeout or maybe the stack waits for a period of idle and then it'll go ahead and send that fin so be careful that you're not troubleshooting a bunch of fins and resets down here that just happen to be closing down the connection what you want to watch for is in the larger delays especially look for the ones that are coming from the server all right so because that means that the server was waiting some amount of time in context to the previous packet before it and then it went ahead and let go of this data so that's not an always case but a common one that i'll look for look for the response time coming back to be that larger number okay so i hope this was useful to you we talked about the time column and how we can set it up for utc time time of day we talked about how we can set time references and also how we can add that tcp stream time in this profile so thanks for stopping by for this lesson in our masterclass i'll see you guys on the next video you
Info
Channel: Chris Greer
Views: 3,189
Rating: undefined out of 5
Keywords: intro to wireshark, wireshark, how to use wireshark, wireshark class, tcp/ip analysis, wireshark masterclass, introduction to wireshark, chris greer, wireshark course, free wireshark training, free wireshark course, getting started with wireshark, wireshark for beginners, network troubleshooting, wireshark tutorial, wireshark tutorial 2021, wireshark training, wireshark tips, network analysis, pcapng, delta time, time column
Id: SllJu5MdkAg
Channel Id: undefined
Length: 10min 27sec (627 seconds)
Published: Tue Aug 03 2021
Related Videos
TCP Tips and Tricks - What Makes Applications Slow? - Wireshark TCP/IP Analysis
Chris Greer
164K
SF18EU - 25 Using Wireshark to Solve Real Problems for Real People (Kary Rogers)
SharkFest Wireshark Developer and User Conference
38K
Intro to Wireshark Tutorial // Lesson 2 // How to Capture Network Traffic
Chris Greer
17K
Intro to Wireshark Tutorial // Lesson 1 // Wireshark Setup Free Tutorial
Chris Greer
67K
How TCP Works - FINs vs Resets
Chris Greer
35K
How TCP Works - What is a TCP Keep-Alive?
Chris Greer
50K
TCP Fundamentals Part 1 // TCP/IP Explained with Wireshark
Chris Greer
134K
The Complete Wireshark Course Beginner To Advanced [Complete Course]
Scott D. Clary - Success Story Podcast
20K
How I Use Wireshark
Viatto
65K
Decoding Packets with Wireshark
Mike Pennacchi
135K
How TCP Works - Duplicate Acknowledgments
Chris Greer
21K
TCP vs UDP Explained // Lab Example with Wireshark
Chris Greer
5.8K
SF19US - 21 Troubleshooting slow networks (Chris Greer)
SharkFest Wireshark Developer and User Conference
7.1K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.