Using Wireshark for Troubleshooting

Using Wireshark for Troubleshooting

-----------------------------------

Affected Roles:  Administrator, Owner

Related Digital Watchdog VMS Apps:  DW Spectrum® IPVMS

Complexity:  Medium to High

Last Edit:  October 2, 2020

-----------------------------------

Wireshark and Capturing Data

On occasion, the Digital Watchdog Technical Support Team may ask you to create a Wireshark capture.  This will allow our technicians to study the network topology to better analyze the communication between your DW Spectrum® Server and a camera.

This article will outline how to create a capture and recommendations to keep in mind when capturing the data.

Note:  Although it is possible to capture data communication indirectly, the following information is intended as reference for when Wireshark is installed on the same device as the DW Spectrum® Server application.

Supported/Affected Devices:

• DW Blackjack® Series

What is Wireshark?

Wireshark is a free, open-source data packet analyzer application that is commonly used for network troubleshooting and analysis.  It is a cross-platform application, available for Windows, MacOS, and Ubuntu/Linux.

Standard Capture

Start the capture by either double-clicking on the desired network interface for analysis or by selecting the desired network interface, then clicking on the blue shark fin in the top-left of the window.

When choosing the network interface for analysis, select the interface that connects the Server to the camera.  If you have a choice between a wireless interface and a wired interface, it is preferred that you select the wired interface as it provides a better quality capture of the data and less clutter.

Filtered Capture

When collecting data packets, you can use the Capture Filter to grab specific communication information more efficiently – typically, this will be the communication between the DW Spectrum® Media Server application and the camera.

To perform the filtered capture, please perform the following:

1. Select the desired network interface and enter the following in the Capture Filter field.

For example:  host 192.168.178.40

2. Double-click on the interface or use the Start button (blue shark fin) in the top-left.

3. Once you have finished the capture, stop the capture by clicking on the Stop button (red square) in the top-left.

4. Click on File and select Save As…

Provide the file with a name while keeping the extension as Wireshark/…-pcapng

Important:  Digital Watchdog often receives files that were created on the client computer hosting the DW Spectrum® IPVMS desktop client, rather than the desired files created on the DW Spectrum® Server itself.  Instead, we ask that you run Wireshark on the device from which the DW Spectrum® Media Server program is running to assist our technicians in their investigation of the communication between the server, the camera, and other video resources.

What Data Should I Capture?

Wireshark will create large files in a short amount of time, with numerous lines of data.  In order to find the needed information quickly, it is recommended to perform the following:

1. Start Wireshark (with the Capture Filter enabled)

2. Reproduce the issue

3. Stop Wireshark

4. Save the standard or filtered capture

5. Share the standard or filtered capture

Sometimes it may be difficult to reproduce a scenario, and it would be impractical to leave Wireshark running until the issue repeats as will increase the server’s workload and the overall file size.  Instead, consider setting up a Ring Buffer.

A Ring Buffer is a feature that allow you to determine the quantity and size of files that Wireshark may create. In doing so, you may allow Wireshark to run until the desired issue occurs.  It will, however, still increase CPU and RAM usage as you allow Wireshark to run.

Setting Up A Ring Buffer

To set up a Ring Buffer:

1. Go to Capture at the top of the Wireshark application.

2. Select Options (Ctrl+K), then select the Output tab.

3. Enable Create a new file automatically after…

4. Change the field from kilobytes into megabytes, then change the value to a maximum of 500.

5. Enable Use a ring buffer with 10 files.

In general, with 10 files you should be able to capture the moment and stop the capture in time before the ring buffer overwrites the files.  If you fail to capture the instance, you may want to increase the value.  However, make sure that there is sufficient storage space available and that it doesn’t affect the desired retention time of the video data of the DW Spectrum® Server application.

It is recommended that you set up a notification along with the ring buffer.  Often, this can be performed with the DW Spectrum® rules engine by selecting the appropriate Event and the preferred Action to become notified that the issue has occurred.

It is important to stop the Wireshark capture in time to prevent the event from being overwritten.

How to Send Wireshark Capture File(s)

Since the Wireshark capture files in general are too big to share as an attachment, it is recommended to share them using a cloud storage service like Google Drive or Dropbox.  Please clarify the source of the IP Addresses in the capture file, so that we will know what servers and cameras are in the file.

Unless already provided contact information by a Digital Watchdog Technician, you can learn how to submit an issue by reading Reporting DW Spectrum Issues.