What is the Goal of finding IP Top Talker?
In my previous post I gave you 5 tips for analyzing packet captures.
In some cases it is necessary to identify which IP’s are talking the most in our network.
Sometimes we suffer from a network slowdown or we see a spike in our bandwidth usage.
For both situations we should attack the problem by finding the IP’s which are causing the slowdown or spike.
Here are my two ways how I identify the Top Talker!
1. Find Top Talker in Wireshark
The easiest and fastest way is to use the Endpoint Statistic via “Statistics” >> “Endpoints”.
You can choose between Ethernet, IPv4, IPv6, TCP and UDP.
In my screenshot below I used the IPv4 tab to show you how it looks like.
In this section you are able to sort each column in descending order.
2. Find Top Talker with “Splunk For PCAP”
If you already have experience with Splunk, you will like this way of analyzing packet captures.
I’ve created an application in the Splunk “App Store” which helps to analyze pcap files by visualizing the packets in a way everyone can understand.
For getting started with “Splunk For PCAP” you can read following two article:
- Get Started: https://devops-online.com/pcap-analyzer-for-splunk-getting-started/
- Top Talker Analysis: https://devops-online.com/pcap-analyzer-for-splunk-top-talker-analysis/
Summary
I really recommend these two ways to find the IP Top Talker. I also check that statistics even my goal is not to identify the Top Talker.
The first way is probably known to you and maybe old. The second one may be new to you and you should give it a try.
Both ways can be really helpful in many ways for you!
If you consider some parts of this post, you will be more successful in analyzing packet captures with Wireshark!
If you want to know more about it, join my Slack Workspace or send me an email.
Stay up-to-date and subscribe to my Newsletter!