Analyzing a pcap

Pre-filtering a pcap for further packet analysis with Wireshark to save time

Wireshark is a helpful program which is unrivalled for detailed packet analysis. The snag is that Wireshark can be unwieldly and slow.

In this use case, you’ll learn how to analyze and pre-filter a previously recorded pcap with the Allegro Network Multimeter to make using Wireshark much clearer and faster.

Example of this: A colleague often has problems with his computer. However, he can not give the administrator exact information about which applications or at which times these problems occur. In order to identify the cause, a pcap is recorded directly on the PC, using tcpdump or Wireshark. This pcap file quickly grows to many gigabytes.

Large pcap files become a problem

Finding a fault can be tedious via Wireshark. The problem with Wireshark is that as soon as a pcap exceeds a certain size, it takes longer to analyze the packets. For example, a sample file containing three million packets can be read by Wireshark in 30 seconds, whereas a slightly larger one with four million packets takes more than eleven minutes. Similar times are to be expected even when a filter is used.

Therefore, you should only select the part of the traffic where the problem has been identified before analysing it in the usual way in Wireshark.

This isolation of the desired traffic or the incorrect traffic flows is achieved by the analysis modules integrated into the Allegro Network Multimeter. The file is downloaded to the Allegro Network Multimeter with a USB stick for subsequent pcap analysis. The pcap then appears in the storage overview. Click the ‘Analyze PCAP’ button to start analysis (see screenshot).

After less than a minute, the four million packages stored on the USB stick are analyzed. Then all modules of the Multimeter can be used to search for exactly the traffic of interest.

Afterwards you can save the selected traffic as a pcap file by clicking the "Capture PCAP" button (see screenshot) and then start analyzing the trace in Wireshark or, depending on the version of your Allegro Network Multimeter, in the integrated Webshark.

As you can see, by using the Allegro Network Multimeter, a pcap can be analyzed rapidly and easily without losing Wireshark’s advantages. Pre-filtering the traffic has the advantage of obtaining the desired result much faster with Wireshark or Webshark.

Your advantages at a glance

  • Analyzing a pcap
  • Pre-filtering for Wireshark
  • Ideal extension for Wireshark
  • Isolation of the to be managed network traffic
  • Clear and fast problem diagnosis

Allegro Network Multimeter

