Testing Connectivity with Wireshark

It becomes necessary to test connectivity and specific ports outside of Veeam software components to rule in or rule out network connectivity or throughput issues, usually as part of other troubleshooting.

Wireshark (formerly Ethereal) is a packet analyzer, free and open-source, useful for network troubleshooting and analysis. Contrasted with iperf which tests ports and throughput, Wireshark can return robust data showing outbound and inbound data, acknowledgements for TCP connections, and even on multiple interfaces concurrently.
 
Due in part to this robustness, it can produce extremely large captures, and it’s helpful to pare this down to a manageable data set: 

• Limit the number of interfaces we capture for the duration
• Apply capture filters to narrow down IP addresses and ports we watch for

Scripting can sometimes be used to terminate the capture as soon as certain text is seen, if there is a known and specific issue.

The first thing to know is what connection(s) you’re needing to monitor. You can start by picking only the necessary interfaces from Capture > Options > Manage Interfaces:
 


The specific ports used for communicating between various components can be found in the user guide, and specifically the Used Ports page:
 
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=95
 
For instance, if the focus of investigation is traffic between a backup proxy agent and a repository agent on a single IP range, you can limit the capture to that IP range. This is, again, a capture filter, not a display filter. The capture filter field will turn green if the filter is valid:

This constrains the capture itself to traffic originating from that range of IP addresses, and no traffic originating from any other ranges will be captured. After configuring this correctly, you can proceed to running the capture, and then use display filters to pare that down further. You can specify, at the most basic: 

1. ip.addr == 192.168.0.1
2. tcp.port == 22 || tcp.port == 443
3. http 

The examples, in order, filter to a stated IP address, traffic on ports 22 and 443 (the || is a boolean OR operator), or only HTTP traffic. They should be entered into the display filter field at the top of a running or previously run capture. Both capture and display filters have a broad spectrum of options and they are covered in the Wireshark wiki (link below).
 
The capture itself is pretty self-explanatory:
 


Time format can be selected from a few options under the view menu. Source and target addresses are just as they say, as is protocol. Length refers to the overall packet length sent or received, and the details will show anything relevant (for instance, packets sent TCP but with no ACK response). You can get even more detail up to and including the content of that specific packet.
 
An important final note: Wireshark captures are inherently massive, especially if the capture filter is broad or not defined at all. Ensure you have adequate space on the machine running the capture if you suspect it will run for some time, or you run a very real risk of filling up the storage.
 
Wireshark does have some wiki-style and community resources for some greater detail on its operation and use in troubleshooting, but a familiarity with networking and the specific network environment will help far more, and is generally a requirement for making sense of the returned data.
 
https://www.wireshark.org – Site for download
https://wiki.wireshark.org – Wireshark Wiki site (check here for capture and display filters)
https://ask.wireshark.org – Wireshark Q&A/Forum