Applies to Models: Wisenet Wave
Sometimes our support team will ask you to create a Wireshark capture so that they can analyze the communication between the WAVE Server and a camera. This article will explain how to create a capture and keep it in mind when capturing the data.
First, you need to download Wireshark. Wireshark is a free and open-source packet analyzer. It is a commonly used application for network troubleshooting, analysis, and many more applications.
Wireshark is a cross-platform application, like the WAVE VMS, and is available for Windows, macOS, and Linux.
NOTE: For MAC O/S, we only have a client application for Wave. The server would have to run on.
Linux or Windows.
Although it is possible to capture the communication indirectly, for this article, we will describe the method of a direct install where Wireshark is installed and running on the same device as the WAVE application is running.
Step By Step Guide:
How to capture?
Assuming that you have successfully installed Wireshark on the same device as the WAVE application is running, you can start the capture by double-clicking the correct network interface or do a single-click on the proper network interface and click on the blue shark fin on the top-left of the screen.
The correct interface is the interface that connects the server to the camera. If you have the choice between a wireless interface and a wired interface, it is preferred to use the wired interface since it provides a better quality of capture with less clutter.
How to do a filtered capture?
To collect the packets more efficiently, you can use the capture filter to grab only the specific communication you need, usually the communication between the Wave Server and the camera or vice versa. To perform the filtered capture, please follow the steps below:
1. Single click on the intended Network Interface
2. Enter the Capture Filter in the applicable field by entering host <camera-IP-address>
Example: host 192.168.178.40.
3. Double-click the interface or press the Start button on the top left (the blue shark fin)
4. To finish a capture, click the red square on the top-left of the screen
5. Click File and select Save As
6. Name the capture file, retaining the extension as Wireshark/…-pcapng
NOTE: Files created on a WAVE Client PC instead of from the WAVE Server. Will only contain
information for the client's PC and not the intended camera.
What to capture?
Wireshark will create huge files in a short amount of time and with lots of lines to investigate. To find the proverbial needle in the haystack as quickly as possible. It is recommended to follow the steps below;
1. Start Wireshark (with the capture filter enabled)
2. Reproduce the issue
3. Stop Wireshark
4. Save the (filtered) capture
5. Send the (filtered) capture to Hanwha support
Sometimes it isn't easy to reproduce a scenario. It wouldn't make sense to let Wireshark run until it happens since this will increase the server's load, but moreover, it will create a large capture file that is impossible to work with. But there is a solution for that. You can set up a ring buffer. A ring buffer is a feature to determine how many files Wireshark may create and how big they are allowed to be. By doing this, you can start Wireshark and let it run until the issue we want to investigate has occurred. Be aware that this will increase the load on the CPU and RAM.
How to set up a ring buffer?
1. Go to Capture in the top center of the Wireshark application.
2. Select Options or use the hotkeys Ctrl+K
3. Select the Output tab
4. Enable Create a new file automatically after
5. Change the field from kilobytes into megabytes and change the value to a maximum of 500.
6. Enable "Use a ring buffer with ten files."
In general, with ten files, you should capture the moment and stop the capture in times before the ring buffer overwrites the files. If you fail to capture the moment, you might want to increase the value. But be aware that there is sufficient storage space available and that it doesn't affect the desired retention time of the video data of the WAVE Server application.
It is recommended that when you set up a Ring Buffer, you get notified in time when the issue occurs. Often you can do that with the WAVE RULES by selecting the appropriate EVENT and the preferred ACTION to get told that the problem occurred.
It is essential to stop the Wireshark capture in time to prevent the event from being overwritten. If you can't manage to stop the Wireshark capture in time, you can increase the number of files the ring buffer is allowed to create.
How to share the Wireshark capture file(s)?
Please clarify the source of the IP addresses in the capture file so we know immediately what the servers and the cameras are in the file.