Professional Documents
Culture Documents
WP Chappell WiresharkTroubleshooting
WP Chappell WiresharkTroubleshooting
1-800-COURSES
www.globalknowledge.com
Introduction
Your phone begins ringing before you find a suitable spot to put down your first comforting cup of coffee in the morning. Users are complaining that the network is slow web browsing sessions are painfully sluggish and email takes forever to download. They state that they simply cant work this way. The problem appears to be widespread as your coffee cools faster than the users tempers. A lack of error messages or network alarms makes the problem more elusive and guarantees youll be hunting down the problem well through lunchtime at least. Could the problem be related to the infrastructure devices? Is a rogue switch dropping packets periodically? What about the servers? Could the email server finally be giving in to the pressure of handling all those email chain letters the users pass amongst themselves? What is the chance that the users systems have been compromised with a virus or bot that is spreading stealthily through the shadows of the network like the plague? In this white paper, we examine how to use Wireshark, the worlds most popular open-source network analyzer, to troubleshoot some of the top causes of poor network performance, including High latency Packet loss Inefficient window sizes Intercepting devices Application dependencies First, well look at Wireshark and examine methods used to see network communications.
A system loaded with Wireshark is connected to the network using one of the methods defined below. Network traffic is captured and decoded by Wiresharks dissectors, predefined code that breaks apart the packets into their fields and field contents. Wireshark also contains an Expert system that identifies possible problems in network communications, thereby shortening the problem isolation process further. For more information on Wireshark, visit www.wireshark.org.
Hubbing Out
This is a great option for half-duplex networks. Simply remove the cable from the users system and connect it to a hub. With another cable, connect the users system and your analyzer to the hub as shown in the diagram below. Hubs are stupid they only know 1s and 0s, and forward all bits down all active ports. All traffic to or from your users system will be copied to your analyzer as well.
Tapping Out
Hubs work great on half-duplex networks, but most of us have migrated to full-duplex networks. Hubs cant handle these full duplex communications; this is the job for a full-duplex tap. The connection process would be the same as shown in Figure 1, provided you have an aggregating full-duplex tap. An aggregating tap combines both transmit and receive channel information between the user and the switch into a single data stream to the analyzer system.
Figure 1: Use full-duplex taps to listen in on all traffic to and from the users system on a full-duplex network.
Spanning
Spanning requires reconfiguration of the switch that the users system connects to. A switch that is configured with a spanned port sends a copy of all traffic to/from that spanned port down another port the port that the analyzer is connected to. This method of tapping-in is ideal for listening to traffic to/from a server as you are unlikely to break the servers network connection to install a hub or tap.
Figure 2: Use Wiresharks Statistics > TCP Stream Graph > Round Trip Time Graph to determine the current roundtrip latency for a file download.
We use Wireshark to determine the roundtrip time on a path to determine if this is the reason for poor network performance for Transmission Control Protocol (TCP) communications. TCP is used for web browsing, email receipt and transmission, file transfer protocol, and many other popular applications. In many situations, especially when hosts are using Windows XP, the operating system can be adjusted to work more efficiently on high-latency paths.
network problems. Slowly, it recovers to a more acceptable rate until the next packet is lost again, causing a drastic cut-back in data throughput. Packet loss has a tremendously negative effect on large file downloads that should otherwise stream across a network smoothly. What does packet loss look like? It depends. If the application is running over TCP, packet loss has two different looks. In one case, the receiver tracks packets based on their sequence numbers and notices a packet is missing. The client requests the missing packet three times (duplicate acknowledgments) which triggers a retransmission. If the sender times-out when it notices the receiver has not acknowledged receipt of a data packet, the sender retransmits the data packet. In Figure 3, Wireshark indicates that packet loss has occurred and duplicate acknowledgments trigger the retransmission. A high number of duplicate acknowledgments indicates that a network has experienced packet loss and is also facing high latency.
Figure 3: Wireshark indicates that packet loss has occurred by color coding the problematic traffic.
Locating the exact point of packet loss is imperative in improving network performance. When packet loss is experienced, we move the Wireshark along the path until we can no longer see packet loss. At this point, we are upstream from the packet loss point, and we know where to concentrate our troubleshooting efforts.
Figure 4: It took over 32 seconds to resolve the zero window condition, denoted by Wiresharks Expert system.
Figure 5: Wiresharks HTTP Load Distribution window lists all servers referenced by the www.espn.com home page.
In addition, poorly-written applications can affect the performance on both the sending side and the receiving side. No matter how healthy and free of dropped packets the network is, an application may not take advantage of the networks capabilities, because it has its own throttling mechanisms limiting the amount of data that it sends. On the receiving side of the connection, an application that does not pull data out of the receive buffer in a timely manner can lead to a limited or zero window condition. In the case of poorly performing applications, consider researching the possibility that the application can be tuned for better performance.
Learn More
Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge. Check out the following Global Knowledge courses: Analyzing TCP/IP Networks with Wireshark Troubleshooting and Securing TCP/IP Networks with Wireshark TCP/IP Networking For more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a sales representative. Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use. Our expert instructors draw upon their experiences to help you understand key concepts and how to apply them to
10
your specific work situation. Choose from our more than 700 courses, delivered through Classrooms, e-Learning, and On-site sessions, to meet your IT and management training needs.
11