From the Unifi forums:
Create /etc/default/unifi file with:
JSVC_EXTRA_OPTS=-Xss1280k
Practical Packet Analysis Notes 2
This 2nd post continues my notes from reading Practical Packet Analysis.
Unreachable port / Unreachable host
A loss of network connectivity can often be seen in Wireshark. For example, a Windows host will attempt 5 re-transmissions. While Wireshark does label these TCP Retransmission, you can also identify this process as each packet has the same Sequence value.
Often the the reply to an echo will source from a switch or router, and often you’ll observe an ARP request for the destination host to reply with a MAC address. This reply can be ICMP type 0 or 3. Code 1 in the ICMP packet = host unreachable. Code2 = port unreachable.
Fragmentation
When layer 4 hands segments to layer 3 that are greater than 1500 bytes, the limit that can be carried in a frame across layer 2, the IP packets will be fragmented to fit.
Looking at the IP layer details of such a packet you can see Flags set to 0x01, meaning more fragments follow. The offset of the first packet in this data stream will be 0. The following fragment will show an offset ~1480. Fragmented packets will follow until the last arrives with a flag of 0x00 and that means no more fragments will follow.
Practical Packet Analysis Notes 1
Hubbing out involves placing a hub or something like a Throwing Star lan tap between a host and switch. Per the books, in most situations duplex of target is cut to half.
View->Coloring Rules is a handy way to add your own rules to make traffic stand out.
Mark a packet so it stands out with white text & black backdrop. CTRL+M and you can advance or reverse with ctrl-shift-n and ctrl-shift-b.
You can merge pcaps. Tie together captures from multiple devices to get a better view. File-> Merge
Create capture and display filters. Wireshark uses comparison and logical operators.
Comparison Operators
== equal to != not equal to > greater than < less than >= greater than or equal to <= less than or equal to
Logical Operators
and both conditions must be true or either one of the conditions must be true xor one and only one condition must be true not neither one of the conditions is true
Sample Filter Expressions
host www.biokode.net display all traffic from host www.example.com !ip display all non IP traffic ip.dst==192.168.1.1 Display all traffic with a destination of 192.168.1.1
You can manage and apply existing filters, or create a new filter from a current expression from within the filter construction dialog by clicking on the small filter icon to the left of the filter expression icon within the filter toolbar!
Name Resolution
You can enable name resolution by opening the Capture Options dialog. Capture–> Options and then select Options tab.
- MAC Name Resolution – Uses ARP to convert layer 2 MAC address into layer 3 IP addresses; display 00:11:22:33:44:55:66 as 192.168.1.7.
- Network Name Resolution – Uses DNS to resolve IP addresses to human readable DNS names; display 192.168.1.7 as SalesWorkstation001.
- Transport Name Resolution – Convert port number to associated transport technology; display port 80 as http.
Name resolution may not be desirable. It can add processing overhead and resolution can fail. A capture does not store name resolution data, so expect this overhead when reviewing previously saved captures.
Protocol Dissection
Wireshark relies on protocol dissectors to to convert raw data into something understood by Wireshark, but it can select the wrong protocol dissector. Most commonly this occurs when a standard protocol is using a non-standard port. For instance, HTTP traffic flowing over port 22 could be classified as SSH!
Right click on a packet and from the menu select “Decode As.” This enables you to select a different protocol dissector than that which was chosen by Wireshark.
Following TCP Streams
Right click on a packet in the Packet list pane of the main window to Follow->TCP Stream and view related packets and their payload that is delivered to the application level in the OSI stack. You can also select a TCP packet in the TCP tab of the Statistics->Conversations dialog.
Endpoints
Statistics->Endpoints summarizes traffic measured in bits, bytes, and packets grouped by hosts.