19 posts categorized "TribeLab.TV" Feed

Analyzing Microsoft IIS Web Logs - Part 2 (by Paul Offord)

Now almost all the streams we analyze are encrypted, how can we see what's inside those pesky SSL/TLS packets. Here's one way.


In the previous video in this series we saw how web logs provide an abundance of information; just the sort of stuff we need to take a performance problem to a developer.  And now we can analyze web logs with Wireshark.

In this video ...

Continue reading "Analyzing Microsoft IIS Web Logs - Part 2 (by Paul Offord)" »

Palo Alto Packet Latency Case Study Using Workbench and Wireshark (by Paul Offord)

Analyzing packets at two points provides an accurate way to determine the delays across a network.  The team at Advance7 used this technique to find the cause of performance and stability problems with a web application.  The system topology was complex, but very common in today's enterprise environments; users accessing systems using a Windows terminal and ESX VDI-delivered desktops.


Users reported slow response times and intermittent disconnects.  The path through the network from VDI host to application server was 10 GbE all the way, and so link overload was unlikely.  There were various theories about the cause of the problem but solid evidence was needed.

In this video ...

Continue reading "Palo Alto Packet Latency Case Study Using Workbench and Wireshark (by Paul Offord)" »

TCP Checksum Error Case Study (by Paul Offord)

When I see TCP Retransmissions and Dup ACKs in a trace I naturally think about packet loss, but that's not the only cause.  The TCP Checksum mechanism is used to check the integrity of the TCP payload (or segment) and, although it's rare to see genuine checksum errors in a trace, it's another cause of retransmissions.

  Network topology

For Wireshark users there's good and bad news.  The good news is that Wireshark can check each packet for TCP Checksum errors.  The bad news is that they are not always genuine errors.  So how can we tell the difference?

In this video ...

Continue reading "TCP Checksum Error Case Study (by Paul Offord)" »

LMTV TribeLab | TRANSUM Revisited (by Paul Offord)

YouTube Live Stream: Wednesday, August 24, 2016 - 9:30 AM PST

LMTV TribeLabPaul offordTRANSUM is a Wireshark plugin that generates detailed response time information to allow network engineers to troubleshoot performance problems with their favorite packet analyzer. TRANSUM is being developed as part of Advance7’s TribeLab project and is its most popular download.

In this week’s show, Advance7’s Paul Offord brings us up to date with the capabilities of TRANSUM and gives us a glimpse of things to come.

Please click here for more episodes of LMTV TribeLab >>

Analyzing TCP Segmentation Offload (TSO) with Wireshark (by Paul Offord)

Most modern PCs and servers have powerful network interface chip sets that can provides TCP/IP functionality that cuts the load on the host machine.  The most common of these functions is TCP Segmentation Offload (TSO).  In this short article we use Wireshark to discover how TSO affects our interpretation of network traces.




A program running in a PC or server may make a single call to the TCP/IP stack to send, say, 5 KB of data.  The TCP/IP stack, which is a software driver within the operating system, must repackage the 5 KB so that it can be sent in multiple packets.  This operation is called segmentation and it consumes CPU cycles.  Additionally, the TCP/IP stack must handle issues such as retransmissions.

A network interface chip set that provides TSO allows the host TCP/IP stack to send a single 5 KB segment.  The network interface chip set then re-segments the data into, say, three packets with a TCP Length of 1,460 bytes and one of 798 bytes, making 5 KB in total.  This can all appear to be very confusing in a network trace, especially as the packets received may not be aggregated in a similar manner.

In the following short video ...

Continue reading "Analyzing TCP Segmentation Offload (TSO) with Wireshark (by Paul Offord)" »