Troubleshooting Slow Networks with Wireshark

Expert Reference Series of White Papers
Troubleshooting
Slow Networks with
Wireshark
1-800-COURSES www.globalknowledge.comTroubleshooting Slow Networks with
Wireshark
Laura Chappell, Founder, Wireshark University and Chappell University
IntroductionYour phone begins ringing before you find a suitable spot to put down your first comforting cup of coffee in the morning. Users are complaining that the network is slow - web browsing sessions are painfully sluggish and email takes forever to download. They state that they simply can't work this way.
The problem appears to be widespread as your coffee cools faster than the users' tempers. A lack of error mes-sages or network alarms makes the problem more elusive and guarantees you'll be hunting down the problem well through lunchtime - at least.
Could the problem be related to the infrastructure devices? Is a rogue switch dropping packets periodically? What about the servers? Could the email server finally be giving in to the pressure of handling all those email chain letters the users pass amongst themselves? What is the chance that the users' systems have been compro-mised with a virus or bot that is spreading stealthily through the shadows of the network like the plague?
In this white paper, we examine how to use Wireshark, the world's most popular open-source network analyzer, to troubleshoot some of the top causes of poor network performance, including. High latency. Packet loss. Inefficient window sizes. Intercepting devices. Application dependencies
First, we'll look at Wireshark and examine methods used to "see" network communications.
Wireshark: The Open-Source Network SaviorWireshark, formerly Ethereal, is the world's most popular open-source network analyzer and the ideal first-re-sponder tool on a troubled network. Wireshark enables you to "see" the network communications and defini-tively point to where the problem lies. Although it cannot tell you why the problem exists, Wireshark reduces the troubleshooting time and effort drastically by providing a definitive answer to the location of the problem - removing the guesswork that typically consumes the IT professional's time while users impatiently wait for their network services to be restored.
Copyright ©2009 Global Knowledge Training LLC. All rights reserved. 2A system loaded with Wireshark is connected to the network using one of the methods defined below. Network traffic is captured and decoded by Wireshark's dissectors, predefined code that breaks apart the packets into their fields and field contents. Wireshark also contains an Expert system that identifies possible problems in network communications, thereby shortening the problem isolation process further. For more information on Wireshark, visit www.wireshark.org.
The Naked NetworkThe first step in analyzing network performance is to capture the network traffic. Ideally, you'll capture the traf-fic to and from a complaining host system from a location as close to that user as possible. You want to experi-ence the slow performance from their perspective and their location on the network.
There are four basic options available to capture network traffic.. Load Wireshark directly on one of the host systems.. Insert a network hub between a host and a switch (half-duplex).. Insert a network tap between a host and a switch (full-duplex).. Span the switch port of a user to an analyzer port.
Loading Wireshark on the User's SystemThis option makes my skin crawl a bit. I detest the idea of being so invasive and have nightmares imagining the users running Wireshark on their systems with little or no knowledge of network communications. This would be my least-favorite recommendation.
Hubbing OutThis is a great option for half-duplex networks. Simply remove the cable from the user's system and connect it to a hub. With another cable, connect the user's system and your analyzer to the hub as shown in the diagram below. Hubs are stupid - they only know 1s and 0s, and forward all bits down all active ports. All traffic to or from your user's system will be copied to your analyzer as well.
Tapping OutHubs work great on half-duplex networks, but most of us have migrated to full-duplex networks. Hubs can't handle these full duplex communications; this is the job for a full-duplex tap. The connection process would be the same as shown... [download for more]