Troubleshooting Slow Networks with Wireshark

1 Expert Reference Series of White Papers1-800-COURSES slow Networks with WiresharkCopyright 2009 Global Knowledge Training LLC. All rights reserved. 2 Troubleshooting slow Networks with WiresharkLaura Chappell, Founder, Wireshark University and Chappell UniversityIntroductionYour phone begins ringing before you find a suitable spot to put down your first comforting cup of coffee in the morning. Users are complaining that the network is slow web browsing sessions are painfully sluggish and email takes forever to download. They state that they simply can t work this way. The problem appears to be widespread as your coffee cools faster than the users tempers. A lack of error mes-sages or network alarms makes the problem more elusive and guarantees you ll be hunting down the problem well through lunchtime at least.

2 Could the problem be related to the infrastructure devices? Is a rogue switch dropping packets periodically? What about the servers? Could the email server finally be giving in to the pressure of handling all those email chain letters the users pass amongst themselves? What is the chance that the users systems have been compro-mised with a virus or bot that is spreading stealthily through the shadows of the network like the plague? In this white paper, we examine how to use Wireshark , the world s most popular open-source network analyzer, to troubleshoot some of the top causes of poor network performance, including High latency Packet loss Inefficient window sizes Intercepting devices Application dependenciesFirst, we ll look at Wireshark and examine methods used to see network communications.

3 Wireshark : The Open-Source network SaviorWireshark, formerly Ethereal, is the world s most popular open-source network analyzer and the ideal first-re-sponder tool on a troubled network . Wireshark enables you to see the network communications and defini-tively point to where the problem lies. Although it cannot tell you why the problem exists, Wireshark reduces the Troubleshooting time and effort drastically by providing a definitive answer to the location of the problem removing the guesswork that typically consumes the IT professional s time while users impatiently wait for their network services to be 2009 Global Knowledge Training LLC. All rights reserved. 3A system loaded with Wireshark is connected to the network using one of the methods defined below.

4 network traffic is captured and decoded by Wireshark s dissectors, predefined code that breaks apart the packets into their fields and field contents. Wireshark also contains an Expert system that identifies possible problems in network communications, thereby shortening the problem isolation process further. For more information on Wireshark , visit The Naked NetworkThe first step in analyzing network performance is to capture the network traffic. Ideally, you ll capture the traf-fic to and from a complaining host system from a location as close to that user as possible. You want to experi-ence the slow performance from their perspective and their location on the network . There are four basic options available to capture network traffic. Load Wireshark directly on one of the host systems.

5 Insert a network hub between a host and a switch (half-duplex). Insert a network tap between a host and a switch (full-duplex). Span the switch port of a user to an analyzer Wireshark on the User s SystemThis option makes my skin crawl a bit. I detest the idea of being so invasive and have nightmares imagining the users running Wireshark on their systems with little or no knowledge of network communications. This would be my least-favorite recommendation. Hubbing OutThis is a great option for half-duplex Networks . Simply remove the cable from the user s system and connect it to a hub. with another cable, connect the user s system and your analyzer to the hub as shown in the diagram below. Hubs are stupid they only know 1s and 0s, and forward all bits down all active ports.

6 All traffic to or from your user s system will be copied to your analyzer as well. Tapping OutHubs work great on half-duplex Networks , but most of us have migrated to full-duplex Networks . Hubs can t handle these full duplex communications; this is the job for a full-duplex tap. The connection process would be the same as shown in Figure 1, provided you have an aggregating full-duplex tap. An aggregating tap combines both transmit and receive channel information between the user and the switch into a single data stream to the analyzer system. Copyright 2009 Global Knowledge Training LLC. All rights reserved. 4 Figure 1: Use full-duplex taps to listen in on all traffic to and from the user s system on a full-duplex requires reconfiguration of the switch that the user s system connects to.

7 A switch that is configured with a spanned port sends a copy of all traffic to/from that spanned port down another port the port that the analyzer is connected to. This method of tapping-in is ideal for listening to traffic to/from a server as you are unlikely to break the server s network connection to install a hub or tap. High Latency: Somebody s Dragging their FeetLatency is a measurement of travel time from one host to another or the roundtrip between hosts. Although packets on a 100 Mbps network always travel at a rate of 100 Mbps, latency is introduced by distance and inter-connecting devices that process packets. slow travel from one endpoint to another is defined as high latency. High latency has a tremendously negative effect on network communications.

8 As an example, in Figure 2, we examine the roundtrip time of a file down-load process on a high-latency path. At times, the roundtrip latency time reaches 1 second, which is completely unacceptable. Copyright 2009 Global Knowledge Training LLC. All rights reserved. 5 Figure 2: Use Wireshark s Statistics > TCP Stream Graph > Round Trip Time Graph to determine the current roundtrip latency for a file download. We use Wireshark to determine the roundtrip time on a path to determine if this is the reason for poor net-work performance for Transmission Control Protocol (TCP) communications. TCP is used for web browsing, email receipt and transmission, file transfer protocol, and many other popular applications. In many situations, especially when hosts are using Windows XP, the operating system can be adjusted to work more efficiently on high-latency paths.

9 Packet Loss: Losing Data in Bits and PiecesPacket loss is one of the most common problems I see on Networks . When a user accesses a web site and begins to download the elements of the site, lost packets trigger retransmissions, increasing the overhead required to download the site elements and delaying the total download process. In addition, when an application uses TCP, the effect of lost packets is especially detrimental. Each time a TCP connection senses a lost packet, the throughput rate automatically throttles back dramatically to account for Copyright 2009 Global Knowledge Training LLC. All rights reserved. 6network problems. Slowly, it recovers to a more acceptable rate until the next packet is lost again, causing a drastic cut-back in data throughput.

10 Packet loss has a tremendously negative effect on large file downloads that should otherwise stream across a network smoothly. What does packet loss look like? It depends. If the application is running over TCP, packet loss has two different looks. In one case, the receiver tracks packets based on their sequence numbers and notices a packet is missing. The client requests the missing packet three times (duplicate acknowledgments) which triggers a retransmission. If the sender times-out when it notices the receiver has not acknowledged receipt of a data packet, the sender retransmits the data Figure 3, Wireshark indicates that packet loss has occurred and duplicate acknowledgments trigger the retransmission. A high number of duplicate acknowledgments indicates that a network has experienced packet loss and is also facing high latency.