Since you can't see
network problems with your bare eyes, the only way
to fix a lot of network problems is to put captured packets of data on a
screen, using a Network Sniffer.
If your network is slow, if there are
database connectivity problems, if your VoIP sounds like garbage, if you
think there's malware stealing private data from your network, it's time to
break out the only tool that will let you see
You could waste days, weeks or months
trying to figure out what's wrong with your network without the right tool!
They say time is money. Most of us don't have a lot of either these days.
It's time to work smarter, and save both time and money.
Once you can see
the data packets that are sent (or delayed), extra traffic from malware
slowing the network down, and any network errors causing retransmissions,
you stand a chance of finding a piece of network gear, workstation, malware,
or VoIP phone /service causing problems. Malware can add so much traffic to a network
that VoIP calls just aren't going to work well unless you get rid of the
Think there are security problems
or malware causing problems on the network? When you can see and trace the
packets, you can see the IP address(s) causing problems - on the local
network or the IP address they're coming from on the Internet.
Put this small affordable tool in your laptop
case, install the open source Wireshark software (included on the included
USB key, or download it from the Wireshark web site), and you've created a
very sophisticated network sniffer that lets you actually see what's
happening on your network... not guess!
Using the open source Wireshark packet
analyzer with a couple of clicks you can look at specific types of
traffic... like just UDP, just TCP, just SIP and RTP packets (for
VoIP), or just network errors.
We sell this tool because there are lots of
problems with VoIP, and many of them are because the packets get lost or
delayed on the local network. If the local network isn't working right,
there's no way a VoIP phone call is going to sound good!
Note that the EtherShark™ Tap will
pass Power over Ethernet (POE) through to VoIP phones
(or other network equipment) using the POE 802.3af standard, which
most modern phones that work with POE conform to. If it didn't pass POE, it
might be a bear to find a power cube to power the phone locally while
In the old days, telephone problems were
pretty easy to fix. You could monitor the voice with a butt-set and make
calls to hear what was wrong.
Today, because packets are going to be
delayed a different amount from one moment to the next, depending on what
other traffic is on the network - like a large database or graphic file,
it's critical to voice quality that the everything on the network is running
correctly - not just the VoIP phones.
Now you can
VoIP conversation the user
is complaining about!
Using the EtherShark™ Tap and
Wireshark software, you can actually reconstruct the captured
packets from a particular VoIP conversation (most VoIP calls are not
encrypted, but you can't listen to an encrypted call), and
listen to both sides of the conversation to hear what the user is
When you hear the problem you can look at
the timing of the packets, and any errors that caused the problems.
This is the only way to find out what's wrong!
you can do it cheaper than using an aggregating tap like the
EtherShark™ Tap... But then you need 2 NIC cards to capture both Sent and
Received Packets, which isn't very portable!
With the EtherShark™ Tap, you spend a little money to get a very portable
packet analyzer that's much quicker and easier to setup!
An aggregating Ethernet tap
combines (aggregates) both transmit and receive packets into one stream
that's fed into a single PC, running packet analyzer software. It's also
called an aggregation tap. It lets you see all the
network traffic - both transmit and receive.
If you make or buy an inexpensive
Ethernet tap you'll need two of them - one for transmit into one
NIC, and one for receive into another NIC... but NIC cards are
cheap. With only one non-aggregating tap you'll either get the
packets from the network,
OR the workstation / VoIP phone, but not both.
You can find instructions for making a really
cheap non-aggregating passive (un-powered) tap on google, for
a few dollars worth of parts and some solder. Search google for: passive
NOTE: Many NIC cards
throw away error packets, which makes trying to fix network
problems using an analyzer with a non-aggregating tap and NIC cards a real
waste of time! If you're using the packet analyzer to catch security
problems, not network problems, two non-aggregating taps can
be an inexpensive solution that should work fine.
If someone is advertising an Ethernet Tap
that uses the word "mirroring" you know you won't get the hard errors
that may be causing your problems (like a NIC card), and you could spend a lot
of time chasing your tail!
Likewise if a device uses the word
"regenerating" they are sucking in the packets on one port, putting them
into memory, and retransmitting them out another port. That's going to work in
many instances but it's safer to use a device line the Ethershark Tap™
that only monitors the packets on the way through the Tap, it
doesn't change them in any way.
This 10/100 Tap
can't be used with a gigabit network. There isn't
enough bandwidth on a USB 2.0 or 3.0 port to handle the transmit and receive
data for 1000/gigabit. You can certainly buy a gigabit aggregating tap, but
it's going to cost a lot!
Depending on your network an alternative may
be able to carry a small gigabit/auto sensing switch that will turn the
gigabit switch port into 10/100 for troubleshooting. But you're
regenerating the packets so you may miss something important?
Plug the cable from the
network gigabit switch into the portable switch, then a patch cord into the EtherShark™ Tap,
and another patch cord into the workstation or phone. You end up gigabit
from the customer's switch to your troubleshooting portable switch, but 10/100 to the
workstation or phone (through the Ethershark™ Tap).
This is an inexpensive small gigabit switch
to carry for troubleshooting that will also work with 10/100, and four of
the eight ports work with POE.
Another option for sniffing packets is using
a packet analyzer like Wireshark on a laptop plugged into a port on a
managed Ethernet switch, to allow packets for a particular port to be
mirrored to the port with the sniffer... But most switches
throw away error packets. Again, that makes trying to fix network problems
using an analyzer plugged into the managed switch a real waste of time, but
that's a perfectly reasonable and inexpensive solution if you're just trying
to track down security issues.
If you're trying to find a problem on a
single PC or laptop, you can load Wireshark on that
machine without using any kind of tap. Wireshark will
see both send and receive packets to that machine.
For VoIP problems, a free screen phone
running on the PC may get you started. Run both
the screen phone and Wireshark on the PC you're testing on. That's also a
good way to get your feet wet using a packet analyzer program like Wireshark
to look at SIP calls without
spending any money (you don't need a Tap for that).
It's time to start to
what's really causing your network and VoIP problems, with the EtherShark™
Figure about an hour to load the drivers and Wireshark on your laptop, and
test it out the first time you use it.
After that, it'll just take a few minutes to:
- Fire up your laptop
- Plug the EtherShark™ Tap into the USB 2.0 port
- Double click on the desktop shortcut to start the Wireshark packet
- Remove the CAT5 patch cord from the workstation, VoIP phone, network
switch or router, or other piece of network equipment - and plug it into
a port on the
- Plug the short CAT5 patch cord (included) into the other port on the
EtherShark™ Tap, and then into the jack on the equipment you just
removed the CAT5 patch cord from
- Capture the packets for a while using Wireshark, then select the
types of packets you want to see and analyze in Wireshark... or listen
to VoIP calls reassembled from the saved packets, and watch how the
calls were setup using Wireshark
Figure on at least a few hours playing with Wireshark to familiarize
yourself with packet analysis. You can do that before you buy an EtherShark™
Tap by just watching the packets coming from and going to the laptop or PC
you're running Wireshark on.
Click on the Wireshark screenshot below to see it full size:
It's not as hard as it looks! Sure, looking at all the packets is
overwhelming. But with Wireshark's filters and colorization, you can
have it show you just the IP addresses you need to look at, or just the type
of packets you need to see to diagnose your problem.
It helps to get save a base-line trace of the packets so you know what
kind of traffic is normally on the network, but you probably
won't have that luxury at most customer sites. Capturing packets before or
after working hours will help you get an idea of what the network looks like
with no traffic, and then with traffic during the day. Check it out on your
own network, and see what you find!
You can download Wireshark at:
The EtherShark™ Tap and Wireshark are not the kind of
things you want to get the night before you go on a service call. Play with
it at home or at the office (any network will let you learn the basics of
Wireshark). You'll waste your time, and your customer's money using it
for the first time in the heat of battle.
Terrell Boyer is a Wireshark VoIP expert and in his YouTube
video "The Ultimate Wireshark Tutorial" he gives you all the information
you need to start using Wireshark to fix network problems right away.
Well, maybe after a couple of hours watching this video a couple of times,
and another few hours playing with it on your network. If you have to fix
network or VoIP problems and are intimidated by Wireshark, this will be the best
50 minutes you'll ever spend: