Measure Service Response Times in Tshark

Introduction

In this lab, you will learn to measure SMB service response times using Tshark, Wireshark's command-line tool. You'll capture network traffic on TCP port 445, analyze session response times, and apply filters to examine specific host communications.

The practical exercises will guide you through generating test traffic, calculating SMB performance metrics with commands like -z smb,srt, and analyzing results using Tshark's statistical features. You'll gain hands-on experience with capture filters (-f "tcp port 445") and display filters (-Y "ip.addr==10.0.0.1") in a Linux environment.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL wireshark(("Wireshark")) -.-> wireshark/WiresharkGroup(["Wireshark"]) wireshark/WiresharkGroup -.-> wireshark/packet_capture("Packet Capture") wireshark/WiresharkGroup -.-> wireshark/display_filters("Display Filters") wireshark/WiresharkGroup -.-> wireshark/capture_filters("Capture Filters") wireshark/WiresharkGroup -.-> wireshark/export_packets("Exporting Packets") wireshark/WiresharkGroup -.-> wireshark/packet_analysis("Packet Analysis") wireshark/WiresharkGroup -.-> wireshark/commandline_usage("Command Line Usage") subgraph Lab Skills wireshark/packet_capture -.-> lab-548933{{"Measure Service Response Times in Tshark"}} wireshark/display_filters -.-> lab-548933{{"Measure Service Response Times in Tshark"}} wireshark/capture_filters -.-> lab-548933{{"Measure Service Response Times in Tshark"}} wireshark/export_packets -.-> lab-548933{{"Measure Service Response Times in Tshark"}} wireshark/packet_analysis -.-> lab-548933{{"Measure Service Response Times in Tshark"}} wireshark/commandline_usage -.-> lab-548933{{"Measure Service Response Times in Tshark"}} end

Capture SMB Traffic with -f "tcp port 445"

In this step, you will learn how to capture SMB (Server Message Block) network traffic using Wireshark's capture filter. SMB is a network protocol mainly used for file sharing, printer access, and inter-process communication between Windows machines. It typically uses TCP port 445 for communication, which is why we'll focus on this specific port in our capture.

Let's begin by preparing our environment:

First, open a terminal in your LabEx VM by clicking on the terminal icon in the Xfce desktop or using the shortcut Ctrl+Alt+T. The terminal is where we'll execute all our commands.
Navigate to the default working directory where we'll store our capture files. This helps keep our project organized:

cd ~/project

Now we'll launch Wireshark, which is the network protocol analyzer we'll use to capture and examine the SMB traffic. The & symbol runs Wireshark in the background so you can continue using the same terminal:

wireshark &

In Wireshark's main interface, we need to configure our capture settings:
- Select the active network interface (usually eth1). This is the network card that will monitor the traffic.
- In the capture filter field, enter: tcp port 445. This tells Wireshark to only capture traffic on port 445 where SMB operates.
- Click the blue shark fin icon to start capturing. You'll see the interface start populating with packets.
To generate some SMB traffic for our capture, we'll use the smbclient command in a new terminal window. This command attempts to connect to a local SMB server (even though we know it will fail, it will still generate the traffic we want to capture):

smbclient -N -L //127.0.0.1

After capturing for about 10 seconds (enough time to generate sufficient traffic), stop the capture by clicking the red square button. This freezes the packet display so we can examine it.
Observe the captured packets in the main window. You should see TCP packets with destination/source port 445. These are the SMB protocol packets we're interested in analyzing.
Finally, let's save our capture for future reference:
- Go to File > Save As
- Name the file smb_capture.pcapng (the .pcapng format preserves all capture information)
- Save it in ~/project where we started our session

Calculate SRT with -z smb,srt

In this step, you will learn how to calculate SMB Session Response Time (SRT) using Wireshark's command line utility tshark. SRT measures the time between when a client sends an SMB request and when it receives the server's response, which is crucial for identifying performance bottlenecks in SMB file sharing operations.

First, ensure you're in the project directory where we'll be working with our capture files:

cd ~/project

We'll use the capture file smb_capture.pcapng created in the previous step. This file contains network traffic captured on port 445, which is the standard port for SMB protocol. If you don't have this file, you can recreate it by running:

wireshark -k -i eth1 -f "tcp port 445" -w smb_capture.pcapng &

Wait 10 seconds to capture some SMB traffic, then stop the capture with Ctrl+C.

The main command calculates SMB Session Response Times. The -z smb,srt option tells tshark to analyze SMB response time statistics:

tshark -r smb_capture.pcapng -z smb,srt

The output will show a detailed table with SRT statistics that helps you understand the performance characteristics of the SMB session. It includes:
- Total number of SMB requests processed
- Minimum response time (fastest response)
- Maximum response time (slowest response)
- Average response time
- Distribution of response times across different time ranges
When dealing with large capture files, the output might be lengthy. For better readability, you can pipe the output to less, which allows you to scroll through the results page by page:

tshark -r smb_capture.pcapng -z smb,srt | less

To save these statistics for later analysis or reporting, redirect the output to a text file:

tshark -r smb_capture.pcapng -z smb,srt > smb_srt_stats.txt

You can examine the saved statistics at any time using the cat command. This is useful when you need to review the results without re-running the analysis:

cat smb_srt_stats.txt

Filter Host with -Y "ip.addr==10.0.0.1"

In this step, you will learn how to filter network traffic for a specific host IP address (10.0.0.1) using Wireshark's display filter syntax. This is useful when you want to focus on traffic related to a particular device in your network capture.

First, ensure you're in the project directory where your capture file is stored:

cd ~/project

Open your previously captured SMB traffic file in Wireshark. The '&' runs it in background so you can continue using terminal:

wireshark smb_capture.pcapng &

In Wireshark's display filter bar (located at the top of the main window), enter the following filter to see all packets involving the IP address 10.0.0.1:

ip.addr==10.0.0.1

Then press Enter or click Apply to activate the filter.

The packet list will now only show packets where either:
- The source IP is 10.0.0.1 (traffic coming from this host)
- The destination IP is 10.0.0.1 (traffic going to this host)
To be more specific, you can filter for only packets going to 10.0.0.1 (destination traffic):

ip.dst==10.0.0.1

Similarly, to see only packets coming from 10.0.0.1 (source traffic):

ip.src==10.0.0.1

You can combine filters with logical operators for more precise analysis. For example, to see only SMB traffic (which uses TCP port 445) to/from 10.0.0.1:

ip.addr==10.0.0.1 && tcp.port==445

To save the filtered view for later analysis:
- Go to File > Export Specified Packets
- Choose "Displayed" to save only the filtered packets
- Save as filtered_host.pcapng

View Stats with -q

In this step, we'll explore how to analyze network traffic statistics using Wireshark's command-line tool tshark. The -q (quiet) option is particularly useful because it hides individual packet details and focuses solely on statistical summaries, making it easier to analyze overall traffic patterns.

Before we begin, let's make sure we're in the correct working directory where our capture file is stored:

cd ~/project

Now let's start with basic statistics. This command gives us an overview of the capture file contents without showing every single packet:

tshark -r smb_capture.pcapng -q

To understand how different network protocols are distributed in our capture, we use protocol hierarchy statistics. This shows what percentage of traffic belongs to each protocol:

tshark -r smb_capture.pcapng -qz io,phs

Since we're working with SMB traffic, we can specifically analyze SMB service response times. This helps identify how quickly the server responds to client requests:

tshark -r smb_capture.pcapng -qz smb,srt

Next, we'll examine endpoint statistics to see which IP addresses are generating or receiving the most traffic:

tshark -r smb_capture.pcapng -qz endpoints,ip

To understand communication patterns between hosts, we use conversation statistics. This shows traffic volumes between specific IP pairs:

tshark -r smb_capture.pcapng -qz conv,ip

It's often helpful to save statistics for later analysis. Here we save the protocol hierarchy to a text file:

tshark -r smb_capture.pcapng -qz io,phs > protocol_stats.txt

Finally, we can view the saved statistics to verify our output:

cat protocol_stats.txt

Summary

In this lab, you have learned to measure SMB service response times using Wireshark and tshark. The process involved capturing SMB traffic with "tcp port 445" filter, then analyzing Session Response Times through tshark's "-z smb,srt" parameter for SMB performance evaluation.

You also practiced filtering traffic by IP address using "-Y" option and generating statistical summaries with "-q". These techniques provide essential skills for network traffic analysis and SMB protocol monitoring using command-line tools.