Applies to Models: Wisenet WAVE
Summary:
Sometimes our support team will ask you to create a Wireshark capture so that they can analyze the communication between the WAVE Server and a camera. This article will explain how to create a capture and submit the capture to the support team.
Prerequisites:
First, you need to download Wireshark. Wireshark is a free and open-source packet analyzer. It is a commonly used application for network troubleshooting, analysis, and many more applications.
Wireshark is a cross-platform application, like the WAVE VMS, and is available for Windows, macOS, and Linux.
NOTE: For MAC O/S, we only have a client application for WAVE. The server would
have to run on Linux or Windows.
Although it is possible to capture the communication indirectly, for this article, we will describe the method of a direct install where Wireshark is installed and running on the same device as the WAVE Server application is running.
Step By Step Guide:
How to capture:
Assuming that you have successfully installed Wireshark on the same device as the WAVE Server application, open Wireshark and start the capture by double-clicking the correct network interface or, do a single-click on the proper network interface and click on the blue shark fin on the top-left of the screen. (Figure 1)
Figure 1
The correct network interface is the one that connects the server to the camera. If you have the choice between a wireless interface and a wired interface, it is preferred to use the wired interface since it provides a better quality of capture with less clutter.
How to do a filtered capture:
To collect the packets more efficiently, you can use the capture filter to grab only the specific communication you need, usually the communication between the WAVE Server and the camera. To perform the filtered capture, please follow the steps below:
1. Single click on the intended Network Interface
2. Enter the Capture Filter in the applicable field by entering host <camera-IP-address>
Example: host 192.168.178.40
3. Double-click the interface or press the Start button on the top left (the blue shark fin)
4. To finish a capture, click the red square on the top-left of the screen
5. Click File and select Save As
6. Name the capture file, retaining the extension as Wireshark/…-pcapng
NOTE: Files created on a WAVE Client PC instead of from the WAVE Server
will only contain information for the client's PC and not the intended camera.
What to capture?
Wireshark will create huge files in a short amount of time and with lots of lines to investigate. To find the proverbial needle in the haystack as quickly as possible, it is recommended to follow the steps below;
1. Start Wireshark (with the capture filter enabled)
2. Reproduce the issue
3. Stop Wireshark
4. Save the (filtered) capture
5. Send the (filtered) capture to Hanwha Support
Sometimes it isn't easy to reproduce a scenario. It wouldn't make sense to let Wireshark run until it happens since this will increase the server's load, but moreover, it will create a large capture file that is impossible to work with. But there is a solution for that, you can set up a ring buffer. A ring buffer is a feature to determine how many files Wireshark may create and how big they are allowed to be. By doing this, you can start Wireshark and let it run until the issue we want to investigate has occurred. Be aware that this will increase the load on the CPU and RAM.
How to set up a ring buffer?
1. Navigate to Capture in the top center of the Wireshark application.
2. Select Options or use the hotkeys Ctrl+K
3. Select the Output tab
4. Enable Create a new file automatically after
5. Change the field from kilobytes into megabytes and change the value to a maximum of 500.
6. Enable Use a ring buffer with and change the amount of files to 10 (Figure 2)
Figure 2
In general, with ten files, you should be able to capture the issue and stop the capture in time before the ring buffer overwrites the files. If you fail to capture the issue, you might want to increase the value. Be aware of the storage space available so that it doesn't affect the desired retention time of the video data of the WAVE Server application.
It is recommended that when you set up a Ring Buffer, you get notified quickly when the issue occurs. You can do that with the WAVE rules by selecting the appropriate event and the preferred action to be notified that the problem occurred.
It is essential to stop the Wireshark capture in time to prevent the issue from being overwritten. If you can't stop the Wireshark capture in time, you can increase the number of files the ring buffer is allowed to create.
How to share the Wireshark capture file(s)?
Since the Wireshark capture files, in general, are too big to share as an attachment, it is recommended to share them via a cloud storage service like Google Drive, Microsoft Onedrive, or ftp service.
Please supply the IP addresses of the cameras and server that we will need to look for in the capture file.