68 posts categorized "Paul Offord" Feed

Reordering Network Packets with Wireshark and Workbench (by Paul Offord)

Occasionally I need to analyse Wireshark traces where the packets are not ordered by timestamp.  The following screenshot shows out of order packets that were found in a trace file that was generated by Wireshark dumpcap capturing via two network interfaces; a typical configuration when using a network TAP.

Neg_delta

In the screenshot, notice how the timestamp of the fourth packet is earlier than that of the second packet, causing the negative delta value.

Clicking on the Time column label will certainly reorder the packets into time sequence but, unfortunately, the Delta value will still be incorrect and  the issue can cause problems with tools such as Wireshark TRANSUM.  Above all, it just adds to the complexity of the trace analysis and so what we really need is a way to reorder the packets.

Fortunately, there is a handy Wireshark tool called Reordercap that can re-sequence the packets in timestamp order.

In this short video ...

Continue reading "Reordering Network Packets with Wireshark and Workbench (by Paul Offord)" »


LMTV LIVE | Application-Centric Infrastructure Monitoring and Analytics (Uila, Inc.)



YouTube LIVE start time: 9:30 AM PST, Wednesday, August 30, 2017


LogoPlease join us this week with representatives from Uila, Inc., to learn about their Application-centric Infrastructure Monitoring and Analytics solution and how it can help IT teams:

• Make applications or business services & the Infrastructure underneath it, run well

• Solve their toughest problems, both known and unknown

• Focus on innovative IT initiatives vs just working to keep the lights on or fighting fires

• Strategize their support for the new business accelerations with the deep knowledge of the existing environment


Click to read other LMTV posts by contributors of LoveMyTool »


Network Troubleshooting Tip - Using Markers to Cut Trace Analysis Time (by Paul Offord)

When we get to the point in an investigation where we are about to break out Wireshark, the complexity of the packet analysis can seem quite daunting. And yet, by covering a few key points, we can dramatically cut the time needed to analyze any diagnostic data.

In my previous post we looked at the importance of a basic understanding of the topology of the system under investigation. In this blog I'll cover the use of markers; a ridiculously simple, but amazingly powerful, concept.  A marker places a distinctive packet in network packet trace data that we can easily find with Wireshark.

The RPR manual contains six pages of information on markers, covering suggested markers and what to use them for.  If you haven't used markers before you are in for a real treat.  Once you get the hang of them, you'll wonder how you ever did without them.

Let's imagine you've been investigating an intermittent slow response time problem for a bunch of users.  Nobody is quite sure what's causing the problem, although the application and platform teams insist it's not them.  You know the drill; if the cause isn't obvious it must be the network, right?

Billions_of_packets

Luckily, a user experienced the problem this morning, and you had packet traces running.  The bad news is that you have 500 GB of trace data (about 5 billion packets) and the user is vague about the time of the problem.

The first strategy ...

Continue reading "Network Troubleshooting Tip - Using Markers to Cut Trace Analysis Time (by Paul Offord)" »


LMTV LIVE | Performance Article and TribeLab - Tony Fortunato and Paul Offord

In this episode, Tony Fortunato and Paul Offord are hijacking LMTV.  

Tony is covering Cisco router speed testing and the merits of performance testing.  Tony will briefly cover why you need to pay attention with the protocol you use and why you should avoid the disk - initially.

Paul is previewing two new updates to TribeLab Workbench; the first allowing you to explore more data types with tools like Excel and Wireshark, and the second extending the range of tools in the toolbox.  

Paul will demonstrate how Excel can open not just a Wireshark trace file, but also an ETL file captured using netsh trace.  We'll also see how we can add TraceWrangler to the toolbox to give us drag-and-drop anonymization of trace files.

 

 


Network Troubleshooting Tip - Understand the System (by Paul Offord)

When we get to the point in an investigation where we are about to break out Wireshark, the complexity of the packet analysis can seem quite daunting. And yet by covering a few key points can dramatically cut the time needed to analyze any diagnostic data.

In my previous post I covered the selection of a single symptom for investigation. In this blog we'll discover the need to understand more than just the network connectivity.

I remember visiting a third party data center and chatting to a network engineer who had been leading the investigation into a Citrix performance problem. He had spent months looking at this issue and I was shocked to discover how little he understood about the system he was analyzing. I asked him to draw a rough diagram showing the main components of the system and how they talked to each other. He couldn't and didn't see the need. As far as he was concerned, packets went into one switch port and they came out of another. "I don't need to know what connected to those ports", he informed me.

This may be an extreme example, but I have attended many meetings with teams that have been investigating a performance problem and nobody is able to draw the system on a whiteboard.

Ipt_diag

Modern systems are very complex, and so we need to sketch out the system with enough detail to provide everyone with an understanding of how it works, but not so much that it's overwhelming.  Advance7 has found ...

Continue reading "Network Troubleshooting Tip - Understand the System (by Paul Offord)" »


Network Troubleshooting Tip - Focus on a Single Symptom (by Paul Offord)

When we get to the point in an investigation where we are about to break out Wireshark, the complexity of the packet analysis can seem quite daunting. And yet by covering a few key points can dramatically cut the time needed to analyze any diagnostic data.

In my previous post I covered the need to thoroughly understand a symptom. In this blog we'll look at the dangers looking for a common cause for multiple symptoms.

Imagine you are faced with a situation where users are complaining about three issues:

  • Word documents should open in less than 5 seconds, but intermittently take more than 30 seconds.
  • Excel workbooks should save in less than 15 seconds, but intermittently take more than 60 seconds.
  • Opening an Outlook Inbox should take less than 20 seconds, but sometimes takes more than 3 minutes.

All problems are reported as having started at the same time, and there’s a widespread belief that they are being caused by a network issue. This is the point where alarm bells should start to ring.

  Symptoms1

 

Maybe some of the symptoms are down to the same root cause, but maybe they are not, and starting by assuming they are is likely to lead to a very frustrating time. The choice of a single symptom and ...

Continue reading "Network Troubleshooting Tip - Focus on a Single Symptom (by Paul Offord)" »