64 posts categorized "Wireshark" Feed

Palo Alto Packet Latency Case Study Using Workbench and Wireshark (by Paul Offord)

Analyzing packets at two points provides an accurate way to determine the delays across a network.  The team at Advance7 used this technique to find the cause of performance and stability problems with a web application.  The system topology was complex, but very common in today's enterprise environments; users accessing systems using a Windows terminal and ESX VDI-delivered desktops.

  Rtt_to_ack

Users reported slow response times and intermittent disconnects.  The path through the network from VDI host to application server was 10 GbE all the way, and so link overload was unlikely.  There were various theories about the cause of the problem but solid evidence was needed.

In this video ...

Continue reading "Palo Alto Packet Latency Case Study Using Workbench and Wireshark (by Paul Offord)" »


TCP Checksum Error Case Study (by Paul Offord)

When I see TCP Retransmissions and Dup ACKs in a trace I naturally think about packet loss, but that's not the only cause.  The TCP Checksum mechanism is used to check the integrity of the TCP payload (or segment) and, although it's rare to see genuine checksum errors in a trace, it's another cause of retransmissions.

  Network topology

For Wireshark users there's good and bad news.  The good news is that Wireshark can check each packet for TCP Checksum errors.  The bad news is that they are not always genuine errors.  So how can we tell the difference?

In this video ...

Continue reading "TCP Checksum Error Case Study (by Paul Offord)" »


Troubleshooting SMB Connection Issue Using Wireshark (by Tony Fortunato)

In this video I walk you through how i worked my way through a Microsoft connectivity problem using Wireshark.

The main point of the video is to pay attention to the methodology where i document the issue, apply a change and re-measure.

Just some text from the slides;

"The problem is with a device running Windows 7 that is configured with some shares to its local drives like a storage server.Every so often no one can connect to the shares, Android users just see a spinning/processing icon and windows users get a variety of connection error messages. The end result is always the same, no connection.

The only solution is to reboot the Windows 7 device and things have gotten so bad that now they have a scheduled script that reboots the computer daily.I asked them to capture some packets from their computer when it happens again.

By noon I had a capture."

 

 

Continue reading other LoveMyTool posts by Tony Fortunato »


Reordering Network Packets with Wireshark and Workbench (by Paul Offord)

Occasionally I need to analyse Wireshark traces where the packets are not ordered by timestamp.  The following screenshot shows out of order packets that were found in a trace file that was generated by Wireshark dumpcap capturing via two network interfaces; a typical configuration when using a network TAP.

Neg_delta

In the screenshot, notice how the timestamp of the fourth packet is earlier than that of the second packet, causing the negative delta value.

Clicking on the Time column label will certainly reorder the packets into time sequence but, unfortunately, the Delta value will still be incorrect and  the issue can cause problems with tools such as Wireshark TRANSUM.  Above all, it just adds to the complexity of the trace analysis and so what we really need is a way to reorder the packets.

Fortunately, there is a handy Wireshark tool called Reordercap that can re-sequence the packets in timestamp order.

In this short video ...

Continue reading "Reordering Network Packets with Wireshark and Workbench (by Paul Offord)" »


The Dark Side of Packet Slicing (by Mike Canney)

SiegerninjaPF

 

Packet or frame slicing our captures can be a great way to hide information in trace files if done correctly.  However, you have to really understand the reason for the captures in the first place.  For example, often times application performance issues leave many clues at layer 4 (specifically TCP).  What happens when you 'hard" slice a trace file and now cannot follow the TCP sequence numbers because the incorrect frame size value is written in the pcap file?

Other times you may need to see the specific application call (SQL/Oracle) to actually fix the problem but you no longer have that data because you've sliced it away.  

Continue reading "The Dark Side of Packet Slicing (by Mike Canney)" »


Wireshark’s new tool – Transum (by Tony Fortunato)

I’ve been playing around with TRASUM for a year or so and got excited when it was announced that it is now included with the current Wireshark build. No more downloading, putting the files in the correct folder, etc..

Transum is a pretty helpful addon since it provides protocol various statistics in your trace file.

In the video below I provide a quick rundown of how to enable it, configure and use it. Once you get playing with it, you will see its immediate benefit.

Here’s the two links I reference in the video to make life a bit easier for you.

Transum Tribelab link:

https://community.tribelab.com/course/view.php?id=9

Sharkfest presentation:

https://sharkfest.wireshark.org/assets/presentations15/33.pdf

 

 

Continue reading other LoveMyTool posts by Tony Fortunato »