Author Profile - Chris Greer is a Network Analyst for Packet Pioneer. Chris has many years of experience in analyzing and troubleshooting networks. He regularly assists companies in tracking down the source of network and application performance problems using a variety of protocol analysis and monitoring tools including Wireshark. When he isn’t hunting down problems at the packet level, he can be found teaching various analysis workshops at Interop and other industry trade shows. Chris also delivers training and develops technical content for several analysis vendors. He can be contacted at chris (at) packetpioneer (dot) com.
Why comb through hundreds of thousands of packets, looking for a problem, when Wireshark can point out issues for you? The analyzer has a feature called Expert Info, available under the Analyze menu option which displays problems in a trace file and can help to zero in quickly on the root cause of network issues. The Expert does not point out every possible problem that can exist in a capture, but some common problems affecting network and application performance are listed.
The Expert has four levels of severity in its alerts – Errors, Warnings, Notes, and Chats.
- Errors: These are serious problems such as malformed packets and checksums
- Warnings: Out-of-Order Packets and application error codes
- Notes: TCP Retransmissions, Resets, Keep-Alives, Duplicate ACKs, SNMP problems
- Chats: HTTP Gets, Application calls, TCP SYNs, FINs, basic workflow information
Using Expert Info Composite, the four types of alerts can be sorted by severity. This can make the information more readable when troubleshooting. Often, the Chat alerts can get “chatty” clouding the more pertinent alerts such as retransmissions and TCP Resets.
Personally, I find the Notes most useful, and regularly use this feature to look for TCP Retransmissions and Out of Order packets in a trace. If these are present, this typically indicates packet loss somewhere on the network, which can really impact application performance. Another good one to watch for is unexpected TCP resets. These could be the cause of application disconnects.
The great thing about these alerts is that they clearly point out where events take place in a trace, and save time over combing through it packet by packet. Not every performance problem will have an associated event in the Expert Info, but those that do will be easier to track down with this feature.
Recent Comments