When we get to the point in an investigation where we are about to break out Wireshark, the complexity of the packet analysis can seem quite daunting. And yet, by covering a few key points, we can dramatically cut the time needed to analyze any diagnostic data.
In my previous post we looked at the importance of a basic understanding of the topology of the system under investigation. In this blog I'll cover the use of markers; a ridiculously simple, but amazingly powerful, concept. A marker places a distinctive packet in network packet trace data that we can easily find with Wireshark.
The RPR manual contains six pages of information on markers, covering suggested markers and what to use them for. If you haven't used markers before you are in for a real treat. Once you get the hang of them, you'll wonder how you ever did without them.
Let's imagine you've been investigating an intermittent slow response time problem for a bunch of users. Nobody is quite sure what's causing the problem, although the application and platform teams insist it's not them. You know the drill; if the cause isn't obvious it must be the network, right?
Luckily, a user experienced the problem this morning, and you had packet traces running. The bad news is that you have 500 GB of trace data (about 5 billion packets) and the user is vague about the time of the problem.
The first strategy ...