Troubleshooting Slow Networks with Wireshark

Troubleshooting Slow Networks with Wireshark

Abstract

Wireshark, the world's most popular open-source network analyzer, has become an essential tool to locate and diagnose the cause of network problems in the most efficient and cost-effective method possible. In March 2009, the Wireshark Certification Program was released to validate a candidate's knowledge of Wireshark functionality, TCP/IP troubleshooting, and network forensics/security. In this white paper, we examine how to use Wireshark to troubleshoot some of the top causes of poor network performance.

Sample

Introduction

Your phone begins ringing before you find a suitable spot to put down your first comforting cup of coffee in the morning. Users are complaining that the network is slow - web browsing sessions are painfully sluggish and email takes forever to download. They state that they simply can't work this way.

The problem appears to be widespread as your coffee cools faster than the users' tempers. A lack of error messages or network alarms makes the problem more elusive and guarantees you'll be hunting down the problem well through lunchtime - at least.

Could the problem be related to the infrastructure devices? Is a rogue switch dropping packets periodically? What about the servers? Could the email server finally be giving in to the pressure of handling all those email chain letters the users pass amongst themselves? What is the chance that the users' systems have been compromised with a virus or bot that is spreading stealthily through the shadows of the network like the plague?

In this white paper, we examine how to use Wireshark, the world's most popular open-source network analyzer, to troubleshoot some of the top causes of poor network performance, including

  • High latency
  • Packet loss
  • Inefficient window sizes
  • Intercepting devices
  • Application dependencies

First, we'll look at Wireshark and examine methods used to "see" network communications.

Wireshark: The Open-Source Network Savior

Wireshark, formerly Ethereal, is the world's most popular open-source network analyzer and the ideal first-responder tool on a troubled network. Wireshark enables you to "see" the network communications and definitively point to where the problem lies. Although it cannot tell you why the problem exists, Wireshark reduces the troubleshooting time and effort drastically by providing a definitive answer to the location of the problem - removing the guesswork that typically consumes the IT professional's time while users impatiently wait for their network services to be restored.

A system loaded with Wireshark is connected to the network using one of the methods defined below. Network traffic is captured and decoded by Wireshark's dissectors, predefined code that breaks apart the packets into their fields and field contents. Wireshark also contains an Expert system that identifies possible problems in network communications, thereby shortening the problem isolation process further. For more information on Wireshark, visit www.wireshark.org.

The Naked Network

The first step in analyzing network performance is to capture the network traffic. Ideally, you'll capture the traffic to and from a complaining host system from a location as close to that user as possible. You want to experience the slow performance from their perspective and their location on the network.

There are four basic options available to capture network traffic.

  • Load Wireshark directly on one of the host systems.
  • Insert a network hub between a host and a switch (half-duplex).
  • Insert a network tap between a host and a switch (full-duplex).
  • Span the switch port of a user to an analyzer port.

Loading Wireshark on the User's System

This option makes my skin crawl a bit. I detest the idea of being so invasive and have nightmares imagining the users running Wireshark on their systems with little or no knowledge of network communications. This would be my least-favorite recommendation.

Hubbing Out

This is a great option for half-duplex networks. Simply remove the cable from the user's system and connect it to a hub. With another cable, connect the user's system and your analyzer to the hub as shown in the diagram below. Hubs are stupid - they only know 1s and 0s, and forward all bits down all active ports. All traffic to or from your user's system will be copied to your analyzer as well.

Tapping Out

Hubs work great on half-duplex networks, but most of us have migrated to full-duplex networks. Hubs can't handle these full duplex communications; this is the job for a full-duplex tap. The connection process would be the same as shown in Figure 1, provided you have an aggregating full-duplex tap. An aggregating tap combines both transmit and receive channel information between the user and the switch into a single data stream to the analyzer system.

Spanning

Spanning requires reconfiguration of the switch that the user's system connects to. A switch that is configured with a spanned port sends a copy of all traffic to/from that spanned port down another port - the port that the analyzer is connected to. This method of tapping-in is ideal for listening to traffic to/from a server as you are unlikely to break the server's network connection to install a hub or tap.

Related Courses

Analyzing TCP/IP Networks with Wireshark
Troubleshooting and Securing TCP/IP Networks with Wireshark
TCP/IP Networking

Related White Papers

12 Things to Know When Troubleshooting Your Network
TCP/IP Sleuthing--Troubleshooting TCP/IP Using Your Toolbox

Related Web Seminars

Troubleshooting Slow Networks through Wireshark

Download Now

Date: 4/23/2009

Author: Laura Chappell

Format: PDF

Pages: 11

 

  • White Paper Rating