When analyzing the network with Wireshark, it is important to observe the time column. Network can slow down due to long delays, access errors and excessive packet requests to obtain data. One should check the time gaps between request and response, or acknowledgement response and normal response when the performance of the network degrades because of delays.
Packet time measurement method of Wireshark for performance evaluation
When Wireshark conducts capturing operation, a time stamp value will be drawn out from the libcap/WinPcap library. This time stamp is then stored together with the trace file so that the packet arrival time can be indicated when the file is opened.
Filter
Since many packets will appear during the packet analysis work by Wireshark such that it is not easy to find a desired information. Filtering can assist in this situation. There are two methods of filtering (i.e., display filtering and capture filtering) and they differ a little depending on their usages. In short, the former is used to find a desired information among captured packet and has better functionality. The latter is used to prevent the packets becoming too large when they are stored. For this, some definitions have to be set prior to its use. Figure 12 shows the examples of settings for the performance evaluation.
Packet list pane on data link layer
In Fig. 13, all the packets captured with Wireshark are being displayed on the packet list pane. Here, the information such as Source/destination MAC/IP address, TCP/UDP port number, protocols, packet contents can be obtained.
Observing Fig. 14, if the length of received domain exceeds 0X0600, it will be defined as a Ethernet II-type and if less, the length of IEEE 802.3. Thus, when the Ethernet II-type has the length of 0X0800, the protocol will be of IP.
Packet details pane on Network Layer
The 4th record value in Fig. 15 shows the ICMP protocol used for the ping operation. The ICMP header elements can be checked by clicking a protocol.
Figure 16 shows structure of IP header. Figure 17 shows IP packet header capture. Comparing the elements in IP header structure and IP packet header capture, relevant values arranges IP headers sequentially from version to destination IP Address.
Disector pane
Figure 18 shows the same contents as the packet details pane above, but the difference is that they are being indicated with hexadecimal numbers. In the next section, corresponding ASCII values will be generated.
Performance evaluation of proposed server operation system: Example of mail transmission and reception on a network
As in Fig. 19, user can be added by entering below command.
sudo adduser test
STMP
For the analysis environment, a mail was sent to the user (test) after accessing the mail server of pknu.com (192.168.0.0/16) with STMP from dhcp-client. The transmitted mail will be stored in the user/Maildir/new/folder. Then, this temporary file will be transferred to cur folder (user/Maildir/cur) after it is opened and read using POP3 or IMAP. If one wishes to send a mail by using the stmp protocol, he/she should follow below process.
For telnet, enter below command to access 192.168.0.3 (mail.pknu.com) with a port number 25 (stmp)
telnet 192.168.0.3 25
Appropriate command for the STMP protocol will be needed to send a mail. To send a mail, enter below line.
mail from: root@dslab.com
After receiving a message 250 2.1.0 OK, enter the sender and relevant mail server names.
rcpt to: test@mail.pknu.com
data
Subject: subject
body
.(ending line)
Then, enter the message contents after entering data and Subject. The result was successful as shown in Figs. 20 and 21.
POP3
If one wants to check the mail sent previously by using STMP with POP3 protocol, enter below command to access one’s own mail server.
telnet 192.168.0.3 110
Access port number 110 (POP3) of mail.pknu.com (192.168.0.3) and enter the command.
user user (test)
pass user (test)
list
retr (msg)
quit
To check the mail sent with STMP, one should access the mail server remotely. After establishing remote access to POP3 port, log in the user name to check the mail. ‘List’ command will show the mail list that includes all the received mails. The list numbers are arranged in the order of reception times Figs. 22 and 23.
IMAP
To check the mail sent by STMP previously with IMAP protocol, one needs to access one’s own mail server.
telnet 192.168.0.3 143
The rest of the procedure is the same as above but the port number should be 143 (IMAP).
a01 login test test
a02 select inbox
The numbers (i.e., 01, 02, and etc.) attached to the commands are just the reference numbers given by the user. Here, alphabetic head must remain but the numbers are optional Fig. 24.
When a command ‘select inbox’ is given, the number of mails and the unread mails received recently will be displayed, and a directory and a file will be added to the/home/user/Maildir/folder. Should the mail has been read by the user, IMAP will also add it to/home/user/Maildir/cur/ Fig. 25.
As in Figs. 24 and 26, mail content can be checked when ‘fetch’ command is used after entering select inbox command. That is, enter fetch 7 body [header], which shows the header, and fetch body 7 body [text] should be entered to see its content Fig. 24.
Performance analysis of the network operation system using Wireshark
The major traffics in the network server operation system are generated by IMGP, responses between DHCP server and DHCP client, ARP, Ping and mail transmissions, and some of core areas of the traffics have been analyzed with Wireshark.
STMP, POP3 and IMAP are connected with 3-way handshake and run with TCP link termination mechanism. Figure 27 shows TCP 3-way handshake and TCP link termination examining the first three packets, SYN flag bit is set at the segment’s header in the first phase of initial TCP connection. This segment will be encapsulated in the IP datagram and sent to the server. The involved packet is the No. 9 packet. The second phase of TCP connection setting, where SYN and ACK are to be set, can be seen at No. 10 packet. And, the third phase is observed at No. 49 and 50 packets.
Figure 28 shows the contents of STMP packets within the generated traffics in the network system using Wireshark. The red lines are the client’s requests and the blue ones are of server’s responds.