90 posts categorized "Chris Greer" Feed

Are My Packets Lying? – Four Things To Look For In Packet Traces (by Chris Greer)

Blog-Are my Packets Lying

Packets don’t lie – well, most of the time.

Packets will tell you the truth unless they have been captured incorrectly. In those cases, packets can tell bold-faced lies.

When digging through trace files, we can come upon symptoms in the packets that may raise an eyebrow. These are events that look strange on the surface and may even divert our troubleshooting focus for a time. In fact, some of these issues have misdirected engineers for hours, if not days, causing them to chase down issues and events that simply did not exist on the wire.

Most of these examples can be avoided simply by capturing the packets from a tap rather than on the machine generating the traffic. Come on, you know you have needed a tap for a while! Just spring for one and capture correctly next time. By the way, when you do make that decision, check out our buddies at Garland Technology. They make great stuff and they are nice people too!

  1. Very large packets

Continue reading "Are My Packets Lying? – Four Things To Look For In Packet Traces (by Chris Greer)" »

Troubleshooting with Wireshark - Remove Unrelated Protocols (by Chris Greer)

Sometimes packet digging can get tedious. We've all been there. 

It can be hard to set the right filter that lets us hone in on the root cause. In many cases, it is just as helpful to remove protocols from view that are not probably not related to the problem. At least that will give us less to dig through. I call that removing "packet static". 

In this video, we will look at how to create a button in Wireshark that will remove common protocols or conversations that will simplify the trace. 


Hope this helps when packet digging! 

Continue reading "Troubleshooting with Wireshark - Remove Unrelated Protocols (by Chris Greer)" »

Got NetFlow and Metadata – Why do I need packets? (by Chris Greer)

It’s all about time.


When it comes to network monitoring, NetFlow and Metadata-based tools allow engineers to get a handle on traffic usage, statistics, capacity, and even security attacks. They quickly help us visualize the conversations and applications involved in congestion, as well as hone in on strange traffic behavior. It would be difficult (and overkill at times) to use packet data to show the same traffic statistics.

So then, why are packets necessary for analysis and monitoring?

In most cases, NetFlow and Metadata do not show us packet timing, which is critical when isolating the root cause of performance issues, and some security issues. To better understand why, let’s look at how NetFlow works.

NetFlow 101

Continue reading "Got NetFlow and Metadata – Why do I need packets? (by Chris Greer)" »

Troubleshooting with Wireshark - Find Delays in TCP Conversations (by Chris Greer)

The delta time column has always been one of the first things to add when configuring Wireshark. It shows the time between displayed packets, or captured packets, depending on how you set it up. It makes finding delays in conversations much easier to do - that is unless you are dealing with a trace file that has several TCP conversations in tandem. It may be that the time between packets looks good, but that is because the previous packet is a part of a different conversation from the one you are analyzing. 

In this video we will look at how to use the TCP Timestamp information in the TCP header (added by Wireshark) to find delays in conversations, even when multiple connections are overlapping each other. 

This can help us to quickly identify where the hold-ups are in conversations, getting to root cause faster. 

Hope this helps when troubleshooting!



Troubleshooting with Wireshark - Configuring Long-Term Captures (by Chris Greer)

Got a pesky network problem that always seems to fix itself as soon as you start capturing? 

Intermittent network and application problems are more prevalent nowadays than ever. They appear, and as soon as we are in the right location with the right tools, they disappear! 

These types of problems are a pain to capture with Wireshark. In this video, we will look at how to use the GUI driven ring-buffer configuration to set up a long-term capture. This can especially help to catch an intermittent problem in the act, leaving a digestible-size trace file to dig through, rather than sifting through Gigs upon Gigs of traffic.  


Thanks for watching!



Troubleshooting with Wireshark - Spurious Retransmissions Explained (by Chris Greer)

What is the difference between a regular retransmission and a spurious one? What can I do about them if I find them in a trace file? 

Spurious retransmissions are not uncommon. They find their way into our trace files somewhat often. In this video, we explain the differences in retransmission flavors, as well as examine why they occur and what we can do about them. 


Hope this helps when troubleshooting!


Continue reading "Troubleshooting with Wireshark - Spurious Retransmissions Explained (by Chris Greer)" »