Filtering TCP/IP packets with Wireshark

Lately I’ve been involved in a project that required the creation of a TCP/IP server. This server will be hit by large numbers of embedded devices. I created unit tests to test the server. But when the time came to integrate with the embedded device (which has been produced by a third party), of course there were still issues arising. You can try to log everything in your server, but using a packet sniffer like Wireshark is much more effective in finding the reasons why certain issues arise.

Although Wireshark is pretty easy to use, at first glance the interface looks daunting. Here are a few tricks that got me up and running with Wireshark.

First: how to start capturing? Capture->Interfaces. In this dialog click ‘Start’ on the interface that displays the external ip address your server is running on. You will see packets pouring in after this. Now you can set up a filter to display only the packets you’re interested in.

Suppose your server is running on port 8080. Displaying only the traffic that is going back and forth on that port is as simple as setting a filter:

tcp.port == 8080

Now suppose you only want to see the data that is being sent from the embedded devices to your server.

tcp.destport = 8080

Should you want to see the data that is being sent from the server to the embedded device:

tcp.srcport = 8080

So tcp.port == 8080 equals to tcp.srcport == 8080 || tcp.dstport == 8080

Now what if we wanted to know only about data coming from the ip adress of one embedded device (assuming a static ip address over time):

ip.src ==

Just as with the port you can filter only packets coming from any embedded device to the server:

ip.dst ==

and if you’re indifferent about the direction:

ip.addr ==

There will be a lot of ceremony packets going back and forth (opening/closing connections, etc…). Usually you’re especially interested in the packets containing data. How to display only the packets containing data:

tcp.len > 0

How do I display only packets containing a certain byte in the payload:

data[0] == A0

It is common to log certain events in a server using for example log4net. These events will have a timestamp based on the datetime of the server. As Wireshark by default shows relative times this doesn’t match very well. See View->Time Display Format. There you will find Date and Time of Day. After selecting this, the date and time will be shown in the Frame part of the packet. Now suppose you would want to filter on a certain timestamp you could use, which would show all packets sent and received in a specific timespan (allowing you to match this with the events logged in the server):

frame.time >= 'Feb 1, 2011 11:00:00' && frame.time < 'Feb 1, 2011 11:05:00'

Combining this delivers a powerful way to find information.

For example, show all packets coming from the embedded device connecting on port 8080, between 11:00 and 11:05 February 1st 2011, coming from ip adress, containing data, where the data is only of a certain type:

tcp.destport == 8080 &&
frame.time >= 'Feb 1, 2011 11:00:00' &&
frame.time < 'Feb 1, 2011 11:05:00' &&
ip.src == &&
tcp.len > 0 &&
data[0] == A0

Finally, you can export the data of the displayed packets and analyse them further with the parser belonging to your server.

frame.time >= ‘Feb 1, 2011 11:00:00’ && frame.time < 'Feb 1, 2011 11:05:00'

Change target framework to full profile (console/wpf/silverlight/setup project)

In Visual Studio 2010 a C# 4.0 application (whether it’s a Silverlight project, WPF app or console app) will be assigned a default target framework called ‘.NET Framework 4.0 Client Profile’. This is a ‘lightweight’ version of the framework, with as a most notable change that the System.Web has been removed. When you need this namespace in your project, you’ll need to change the target framework to ‘.NET Framework 4.0’.

Changing the target framework for a WPF/Silverlight/Console application to .NET Framework 4.0

Right-click on the project you want to change and choose properties.

In the properties dialog, change the target framework to ‘.NET Framework 4.0’.

You will get a warning. Click ‘Yes’.

Once you’ve done this, you might want to create a setup project for your application. In case you want this, you’d have to keep in mind that the setup project will be created with the .NET Framework 4.0 Client Profile assigned as the default target framework.If you simply add a setup project and hit build you’ll get the following error: “WARNING: The version of the .NET Framework launch condition ‘.NET Framework 4’ does not match the selected .NET Framework bootstrapper package. Update the .NET Framework launch condition to match the version of the .NET Framework selected in the Prerequisites Dialog Box.”

Changing the target framework for yout setup project to ‘.NET Framework 4.0’ requires:

  1. Changing the launch conditions
  2. Changing the prerequisites

Changing the launch conditions

The launch conditions can be changed by right clicking the setup project. Select View and then Launch conditions.

Now select ‘.NET Framework’.

You will notice that the properties tab (see right-bottom in the default VS2010 layout) has changed. Change the Version dropdown to ‘.NET Framework 4.0’.

Changing the prerequisites

The prerequisites can be changed through the properties of the installer project.

Click the Prerequisites button.

In the prerequisites dialog, deselect ‘Microsoft .NET Framework 4 Client Profile’ and select ‘Microsoft .NET Framework 4’. Click ‘OK’.

That’s it. Now your solution will build without errors.

.NET 4.0 Client Profile and how to change the default target framework within Visual Studio 2010

Lately my productive flow has been rudely disturbed several times by Target Framework issues.  This probably existed also in Visual Studio 2008 with .NET 3.5, but I never encountered this until recently with Visual Studio 2010 and C# 4.0.

I’ve seen references to class libraries magically dissappear (as described in this post), compiler errors because log4net couldn’t be compiled in the client profile (see this bug) and difficulties building a setup project with the right target framework (see this post for a description of the problems you’ll encounter, also check out my post on how to change the target framework for a setup project).

So, why is there a Client Profile? Microsoft explains that it exists specifically for client applications to enable faster deployment and a smaller install package. When you create a new project, the Target Framework is by default set to .NET Framework 4 Client Profile for most of the project templates. Because of the above mentioned issues it would be nice if you could easily set the default Target Framework to .NET Framework 4 if that is the Target you want to use for 90% of your projects. Unfortunately I haven’t found such an option in Visual Studio 2010. So, after some digging I found this blog which explains beautifully how to change this behaviour by hacking the project templates. Problem solved (but only as long as the project template isn’t overwritten by an update to Visual Studio 2010). If you want to vote for a better fix, please do so here.