Troubleshooting slow network applications with Wireshark

I’ve had some fun today troubleshooting the intermittent network slow down we get at work. Through absorbing several articles, videos, and forum posts, I think I have found a better way of troubleshooting slow network applications.

Installing Wireshark

  1. Download Wireshark.
  2. Open the downloaded file and click Next:
  3. Read and accept every single word of the License Agreement – like you always do 😛 – then click I Agree:
  4. Select the components you want to use, then click Next. I just leave them all ticked:
  5. Select how many shortcuts you would like cluttering up your Start Menu and Desktop, then click Next:
  6. Choose where to install the application files, then click Next:
  7. Install WinPcap – if you don’t have it installed already – then click Next:
  8. Wireshark will start to install, but it will also install WinPcap. Click Next to continue:
  9. Click Next again, because one welcome screen just isn’t enough!
  10. Of course you agree:
  11. Does your PC boot up too quickly? If so, allow one more program to start at boot time:
  12. Click Finish once the WinPcap installation is complete:
  13. The Wireshark installer will then jump back into action. Click Next:
  14. Finally click Finish and run your shiny new Wireshark program:
  15. You may choose to ignore the “Show News” tickbox too, but if you do, your personal email address and phone number will be harvested from your PC and subscribed to a plethora of marketing sites. Disclaimer: this may be a lie.

Using Wireshark

On opening Wireshark for the first time, the following window is shown:

All you need to do to start capturing packets is click a network interface:

The captured packets are displayed in 3 sections of the window:

  • Section 1 is the Packet List and shows a summary of individual packet information.
  • Section 2 shows the Packet Details. Select a packet from the Packet List, and you can explore every element of the packet here.
  • Section 3 shows the raw packet bytes. If you can read this, you are Neo from the Matrix, and you can also speak fluent Fax!

I turn off Packet Bytes as I am not Neo:

I also prefer formatting the Time column to show the precision of Milliseconds:

Although it’s useful to have the Time column showing the seconds since the beginning of capture, wouldn’t it be useful to see the seconds since the previous packet too? Yes, it would. Here’s how:

  1. Right-click any column header and select Column Preferences:
  2. Click Add:
  3. A new field will now appear:
  4. Rename the new field, change the Field Type to “Delta time displayed”, then click OK:
  5. The new field/column will now appear at the end of the others, so drag’n’drop next to the original Time column:
  6. The new column will display the difference in time between the previous displayed packet. Displayed packet is an important distinction, as the normal delta time could be affected when you use display filters.

Now you’re all set up, you can capture the packets whilst running your slow web application, and compare the connection setup time (SYN to SYN-ACK) to a data request (HTTP GET to payload response).

See this excellent post for a better explanation: http://www.lovemytool.com/blog/2009/01/chris_greer.html

If you want a more assisted experience when troubleshooting network issues, try out the free versions of the superb nChronos and Capsa applications from Colasoft.

Comments

  1. Cherie says:

    This is an issue I need to do more research into, thanks for the post.