Professional Documents
Culture Documents
Troubleshooting
Slow Networks with
Wireshark
1-800-COURSES www.globalknowledge.com
Troubleshooting Slow Networks with
Wireshark
Laura Chappell, Founder, Wireshark University and Chappell University
Introduction
Your phone begins ringing before you find a suitable spot to put down your first comforting cup of coffee in the
morning. Users are complaining that the network is slow – web browsing sessions are painfully sluggish and
email takes forever to download. They state that they simply can’t work this way.
The problem appears to be widespread as your coffee cools faster than the users’ tempers. A lack of error mes-
sages or network alarms makes the problem more elusive and guarantees you’ll be hunting down the problem
well through lunchtime – at least.
Could the problem be related to the infrastructure devices? Is a rogue switch dropping packets periodically?
What about the servers? Could the email server finally be giving in to the pressure of handling all those email
chain letters the users pass amongst themselves? What is the chance that the users’ systems have been compro-
mised with a virus or bot that is spreading stealthily through the shadows of the network like the plague?
In this white paper, we examine how to use Wireshark, the world’s most popular open-source network analyzer,
to troubleshoot some of the top causes of poor network performance, including
• High latency
• Packet loss
• Inefficient window sizes
• Intercepting devices
• Application dependencies
First, we’ll look at Wireshark and examine methods used to “see” network communications.
Hubbing Out
This is a great option for half-duplex networks. Simply remove the cable from the user’s system and connect it
to a hub. With another cable, connect the user’s system and your analyzer to the hub as shown in the diagram
below. Hubs are stupid – they only know 1s and 0s, and forward all bits down all active ports. All traffic to or
from your user’s system will be copied to your analyzer as well.
Tapping Out
Hubs work great on half-duplex networks, but most of us have migrated to full-duplex networks. Hubs can’t
handle these full duplex communications; this is the job for a full-duplex tap. The connection process would be
the same as shown in Figure 1, provided you have an aggregating full-duplex tap. An aggregating tap combines
both transmit and receive channel information between the user and the switch into a single data stream to the
analyzer system.
Spanning
Spanning requires reconfiguration of the switch that the user’s system connects to. A switch that is configured
with a spanned port sends a copy of all traffic to/from that spanned port down another port – the port that the
analyzer is connected to. This method of tapping-in is ideal for listening to traffic to/from a server as you are
unlikely to break the server’s network connection to install a hub or tap.
Slow travel from one endpoint to another is defined as high latency. High latency has a tremendously negative
effect on network communications. As an example, in Figure 2, we examine the roundtrip time of a file down-
load process on a high-latency path. At times, the roundtrip latency time reaches 1 second, which is completely
unacceptable.
We use Wireshark to determine the roundtrip time on a path to determine if this is the reason for poor net-
work performance for Transmission Control Protocol (TCP) communications. TCP is used for web browsing,
email receipt and transmission, file transfer protocol, and many other popular applications. In many situations,
especially when hosts are using Windows XP, the operating system can be adjusted to work more efficiently on
high-latency paths.
In addition, when an application uses TCP, the effect of lost packets is especially detrimental. Each time a TCP
connection senses a lost packet, the throughput rate automatically throttles back dramatically to account for
What does packet loss look like? It depends. If the application is running over TCP, packet loss has two different
looks. In one case, the receiver tracks packets based on their sequence numbers and notices a packet is missing.
The client requests the missing packet three times (duplicate acknowledgments) which triggers a retransmission.
If the sender times-out when it notices the receiver has not acknowledged receipt of a data packet, the sender
retransmits the data packet.
In Figure 3, Wireshark indicates that packet loss has occurred and duplicate acknowledgments trigger the
retransmission. A high number of duplicate acknowledgments indicates that a network has experienced packet
loss and is also facing high latency.
Figure 3: Wireshark indicates that packet loss has occurred by color coding the problematic traffic.
Locating the exact point of packet loss is imperative in improving network performance. When packet loss is
experienced, we move the Wireshark along the path until we can no longer see packet loss. At this point, we are
“upstream” from the packet loss point, and we know where to concentrate our troubleshooting efforts.
As a set, these windows define the TCP-based communication performance on the network. First, let’s define
each of these windows and their individual effect on network throughput.
Figure 4, below, depicts a zero window condition that caused a 32-second delay in network communications.
These interconnecting devices can also add latency to the path. For example, if traffic prioritization is in use, we
can see additional latency injected into a stream that meets a low priority level.
As a simple example, we can look at a web browsing session in which the target server references numerous
other websites. In order to load the main page of the site, www.espn.com, for example, you must access 16
hosts that provide advertisements and content for the main www.espn.com page. Figure 5 shows the list of
hosts that you must contact when you load the www.espn.com home page.
In addition, poorly-written applications can affect the performance on both the sending side and the receiving
side. No matter how healthy and free of dropped packets the network is, an application may not take advantage
of the network’s capabilities, because it has its own throttling mechanisms limiting the amount of data that it
sends. On the receiving side of the connection, an application that does not pull data out of the receive buffer in
a timely manner can lead to a limited or zero window condition. In the case of poorly performing applications,
consider researching the possibility that the application can be tuned for better performance.
We’ve discussed the primary causes of network performance problems, but one cause – lack of insight into
network communications behavior – cannot be overlooked. After 20 years of analyzing network traffic and
teaching traffic interpretation and problem resolution, it is clear that network analysis is a skill that every IT
professional should possess.
Wireshark offers an insight into networks in a similar way that X-rays and CAT scans offer an insight into the
human body for accurate and timely diagnoses. And, just like those indispensable technologies in the medical
field, Wireshark has become an essential tool to locate and diagnose the cause of network problems in the most
efficient and cost-effective method possible.
Note: This white paper was developed as a follow-up to the Global Knowledge webinar by the same name.
Visit our Knowledge Center at www.globalknowledge.com/knowledgecenter to view the related webinar.
Learn More
Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge.
Check out the following Global Knowledge courses:
Analyzing TCP/IP Networks with Wireshark
Troubleshooting and Securing TCP/IP Networks with Wireshark
TCP/IP Networking
For more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a
sales representative.
Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use. Our
expert instructors draw upon their experiences to help you understand key concepts and how to apply them to