65 posts categorized "Paul Offord" Feed

Palo Alto Packet Latency Case Study Using Workbench and Wireshark (by Paul Offord)

Analyzing packets at two points provides an accurate way to determine the delays across a network.  The team at Advance7 used this technique to find the cause of performance and stability problems with a web application.  The system topology was complex, but very common in today's enterprise environments; users accessing systems using a Windows terminal and ESX VDI-delivered desktops.


Users reported slow response times and intermittent disconnects.  The path through the network from VDI host to application server was 10 GbE all the way, and so link overload was unlikely.  There were various theories about the cause of the problem but solid evidence was needed.

In this video ...

Continue reading "Palo Alto Packet Latency Case Study Using Workbench and Wireshark (by Paul Offord)" »

TCP Checksum Error Case Study (by Paul Offord)

When I see TCP Retransmissions and Dup ACKs in a trace I naturally think about packet loss, but that's not the only cause.  The TCP Checksum mechanism is used to check the integrity of the TCP payload (or segment) and, although it's rare to see genuine checksum errors in a trace, it's another cause of retransmissions.

  Network topology

For Wireshark users there's good and bad news.  The good news is that Wireshark can check each packet for TCP Checksum errors.  The bad news is that they are not always genuine errors.  So how can we tell the difference?

In this video ...

Continue reading "TCP Checksum Error Case Study (by Paul Offord)" »

Using NetworkMiner with a Windows netsh trace File (by Paul Offord)

Before analyzing a network packet trace file, I try to make sure that I've collected information about IP addresses and TCP/UDP port numbers.  Even so, I still find that I don't have all the information I need.  There are techniques you can use to get the missing information - check NBNS host announcements, explore the names resolved by DNS - but it's all just more hassle.


Recently I noticed a bit of a buzz around NetworkMiner, so I thought I'd check it out.  What I found was a simple tool that does just what I need; extract useful host and service information from Wireshark traces.  We now analyze a fair number of traces captured with Windows netsh trace, so I thought I'd look at how we can use NetworkMiner with these Windows-native trace files.

In this video ...

Continue reading "Using NetworkMiner with a Windows netsh trace File (by Paul Offord)" »

Reordering Network Packets with Wireshark and Workbench (by Paul Offord)

Occasionally I need to analyse Wireshark traces where the packets are not ordered by timestamp.  The following screenshot shows out of order packets that were found in a trace file that was generated by Wireshark dumpcap capturing via two network interfaces; a typical configuration when using a network TAP.


In the screenshot, notice how the timestamp of the fourth packet is earlier than that of the second packet, causing the negative delta value.

Clicking on the Time column label will certainly reorder the packets into time sequence but, unfortunately, the Delta value will still be incorrect and  the issue can cause problems with tools such as Wireshark TRANSUM.  Above all, it just adds to the complexity of the trace analysis and so what we really need is a way to reorder the packets.

Fortunately, there is a handy Wireshark tool called Reordercap that can re-sequence the packets in timestamp order.

In this short video ...

Continue reading "Reordering Network Packets with Wireshark and Workbench (by Paul Offord)" »

LMTV LIVE | Application-Centric Infrastructure Monitoring and Analytics (Uila, Inc.)

YouTube LIVE start time: 9:30 AM PST, Wednesday, August 30, 2017

LogoPlease join us this week with representatives from Uila, Inc., to learn about their Application-centric Infrastructure Monitoring and Analytics solution and how it can help IT teams:

• Make applications or business services & the Infrastructure underneath it, run well

• Solve their toughest problems, both known and unknown

• Focus on innovative IT initiatives vs just working to keep the lights on or fighting fires

• Strategize their support for the new business accelerations with the deep knowledge of the existing environment

Click to read other LMTV posts by contributors of LoveMyTool »

Network Troubleshooting Tip - Using Markers to Cut Trace Analysis Time (by Paul Offord)

When we get to the point in an investigation where we are about to break out Wireshark, the complexity of the packet analysis can seem quite daunting. And yet, by covering a few key points, we can dramatically cut the time needed to analyze any diagnostic data.

In my previous post we looked at the importance of a basic understanding of the topology of the system under investigation. In this blog I'll cover the use of markers; a ridiculously simple, but amazingly powerful, concept.  A marker places a distinctive packet in network packet trace data that we can easily find with Wireshark.

The RPR manual contains six pages of information on markers, covering suggested markers and what to use them for.  If you haven't used markers before you are in for a real treat.  Once you get the hang of them, you'll wonder how you ever did without them.

Let's imagine you've been investigating an intermittent slow response time problem for a bunch of users.  Nobody is quite sure what's causing the problem, although the application and platform teams insist it's not them.  You know the drill; if the cause isn't obvious it must be the network, right?


Luckily, a user experienced the problem this morning, and you had packet traces running.  The bad news is that you have 500 GB of trace data (about 5 billion packets) and the user is vague about the time of the problem.

The first strategy ...

Continue reading "Network Troubleshooting Tip - Using Markers to Cut Trace Analysis Time (by Paul Offord)" »