Wireshark - Setup and Background Info
Introduction
This article will describe how to perform basic setup of Wireshark for first time users on an ETC lighting network, or a network in which ETC devices and hardware exist.
What is Wireshark?
Wireshark is a utility that captures raw packets on a network, which contain information about how devices communicate with one another. When there are problems with this communication, troubleshooting is required. Wireshark puts a microscope on a network and allows the packets to be filtered. These filters are vast and can help to quickly sort through all the traffic.
When do we / should we use Wireshark?
For first time users, Wireshark would only be used when directed by ETC Technical Services. When speaking to a specialist, they may use the catch phrase "Hey, can you get us a Wireshark capture?" In those scenarios, it is not required to know how to "read" Wireshark captures, just understand how to start/stop/save/email. More on this below.
When should we not use Wireshark?
When ETC hardware exists on a network that is not provided or installed by ETC, it is most likely part of a larger corporate or campus wide network. These networks are managed by IT departments charged with their security and integrity. This is sometimes referred to as "Network by Others". Although performing a Wireshark capture on a network is typically non-invasive, it is always best practice to ask permission from those who manage the network prior to proceeding.
Where do we use Wireshark?
ETC Technical Support Specialists will help direct the discussion about where the best place to take the capture is.
As Wireshark is generally used to troubleshoot communication between two networked devices, it is important to discuss where the suspected problem is in the network. This will vary based on the type of connectivity problems that are occurring.
Below are examples of common networking problems Wireshark may be useful:
- DMX Gateway is not receiving sACN lighting levels from the network.
- Probable Cause: Multicast is being blocked.
- Serial (Network UDP) communication is not present between ETC and third-party controllers.
- Probable Cause: End of Line termination may not be accepted or set correctly.
- Paradigm Architectural Control Processors (PACPs) not seeing one another.
- Probable Cause: Multicast is being blocked.
- Echo Relay Panels have significantly delayed response to control.
- Probable Cause: No IGMP Querier on network. Multicast is being broadcast.
- ETC devices continuously reboot while they are plugged into a network.
- Probable Cause: Ring Network Topology (Closed Loop) and Spanning Tree is disabled -OR- duplicate IP addresses are causing an IP conflict.
With each of these examples, it becomes critical to determine where to place the computer that will run Wireshark. Expanding on that notion, Wireshark only captures network information that is being accessed by the computer hosting the software. In the first example above, if a DMX Gateway is not receiving sACN lighting level information, it will do us no good to plug the computer into a random network port or directly into a network switch port. The computer will need to see the exact data being sent to the the gateway. This is accomplished either via a port-mirroring switch, or by setting up port-mirroring on the existing system switch (which is only possible if an existing port is open and the folks managing the network will allow it).
Port Mirroring Switch
A port mirroring switch specifically allows a network port to be mirrored to a second network port specifically for the purpose of capturing duplicate information. There may be other names out there such as SPAN (Switched Port Analyzer) but the terms always reflect the same concept; we want to watch the network traffic on a port using a different piece of hardware/software such as Wireshark.
The port mirroring switch would be put inline between the ETC hardware and the network switch. This allows us to plug in a computer and run Wireshark seeing the same network traffic that the ETC hardware is seeing.
A common port mirroring switch used by ETC Field Service is the DualComm DCSW-1005. It is small, portable, has the ability to pass-through PoE, and is powered by USB. There are many others out there. Below are two examples showing how to set this up.
Generic Port Mirroring Example
DMX Gateway Port Mirroring Example
Site Setup
Before using the software, additional setup is required:
- Have a version of Wireshark installed on the host computer (PC).
- Determine where the troubleshooting needs to take place.
- Deploy a Port Mirroring Switch and connect network cables in the proper places on the port mirroring switch and associated PC / ETC Hardware.
- Set the host computer to be on the same network scheme as the ETC hardware. By default ETC uses IP addresses 10.101.#.# with a subnet mask of 255.255.0.0.
- # can be any value between 0-255.
Wireshark Setup
- Launch Wireshark
- On the bottom half of the screen is section called Capture.
- Choose the Network Adapter connected to the ETC hardware / port mirroring switch. This is usually a wired network adapter or Ethernet adapter on the host computer.
- The lines to the right of the adapter represent network activity, which may help you determine which is the correct adapter if you are unsure.
- Double click the network adapter to start the Capture. Alternatively, after the correct adapter has been selected, click the blue shark fin at the top left of the screen to Start the capture.
- At this point, the view will start flooding with packets in the order they're received. Bigger/busier systems will potentially have more data than smaller systems. The duration of the capture is going to be dependent on the scenario and instruction from ETC Technical Services.
- If additional action needs to be taken on ETC hardware in order to produce data packets that need investigating, now is that time to do so. Examples include activating a preset on Paradigm, sending a serial command from ETC hardware, starting or stopping an sACN lighting level source, etcetera.
- When done, click the red square at the top left to Stop the capture.
- Next click File > Save As and choose a file destination to store the capture locally.
- Finally, email the capture file to the ETC specialist that you've been working with.
Screenshot Example (no audio)
Third Party Tutorial (for those interested):
How to Use Wireshark: Comprehensive Tutorial + Tips on varonis.com/blog by Jeff Petters is a good guide on setting up Wireshark.