["Cyril Spiro" <spiroc@xxxxxxxxxxxxxxx>]

Ryan,

Thank you for your response.

I have followed your recommendation and taken a snap shot of one TCP stream
during a period when the users stated the intranet-based web application was
slow.

Attached is a sample of one TCP Stream which took 1.3 seconds.  I provide
this as an example for assistance in interpreting the Wireshark results.

What surprised me is that all packets indicate communication from
192.168.0.221 (client) to 192.168.0.150 (server) and none in the other
direction.  

Again, our goal is to know if this screen rendering took 1.3 seconds because
the server was busy processing the request (database calls, etc.) or if the
network was jammed outside of the server.

Any insight that you can provide on how to read the results in order to
answer this question is much appreciated.

spiroc

 

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of
wireshark-users-request@xxxxxxxxxxxxx
Sent: Thursday, November 06, 2008 7:12 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: Wireshark-users Digest, Vol 30, Issue 11

Send Wireshark-users mailing list submissions to
	wireshark-users@xxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
	https://wireshark.org/mailman/listinfo/wireshark-users
or, via email, send a message with subject or body 'help' to
	wireshark-users-request@xxxxxxxxxxxxx

You can reach the person managing the list at
	wireshark-users-owner@xxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wireshark-users digest..."


Today's Topics:

   1. Re: tshark creates files in temp dir (j.snelders@xxxxxxxxxx)
   2. Re: tshark creates files in temp dir (Al Aghili)
   3. Re: tshark creates files in temp dir (Stephen Fisher)
   4. Re: tshark creates files in temp dir (Al Aghili)
   5. Re: tshark creates files in temp dir (Stephen Fisher)
   6. Re: tshark creates files in temp dir (Guy Harris)
   7. Re: tshark creates files in temp dir (Al Aghili)
   8. Re: Intermittent Performance Problems on Intranet (Ryan Zuidema)


----------------------------------------------------------------------

Message: 1
Date: Thu, 6 Nov 2008 21:26:45 +0100
From: j.snelders@xxxxxxxxxx
Subject: Re: [Wireshark-users] tshark creates files in temp dir
To: "Community support list for Wireshark"
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <481B3765000A0AD6@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="US-ASCII"

Hi Al,

I think that you have to define an output file:
$ tshark -i 2 -w output.cap

HTH
Joan

On Thu, 6 Nov 2008 10:39:32 -0700 Al Aghili wrote:
>Subject: [Wireshark-users] tshark creates files in temp dir
>
>Hi,
>When we run tshark on windows it sometimes creates these large files in
>Windows/temp directory that start with "ether". Is there a way to turn
>this off?
> 
>Thanks
>Al
> 
> 
>_______________________________________________
>Wireshark-users mailing list
>Wireshark-users@xxxxxxxxxxxxx
>https://wireshark.org/mailman/listinfo/wireshark-users


       




------------------------------

Message: 2
Date: Thu, 6 Nov 2008 14:08:19 -0700
From: "Al Aghili" <aaghili@xxxxxxxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] tshark creates files in temp dir
To: "'Community support list for Wireshark'"
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <00b601c94053$cf285540$2602a8c0@AlDell01>
Content-Type: text/plain;	charset="us-ascii"

Hi,
We're running tshark with the following command. 
tshark -i 2 -V -l

Then we read the standard out so we don't want to create an output file.


Thanks
Al

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of
j.snelders@xxxxxxxxxx
Sent: Thursday, November 06, 2008 1:27 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] tshark creates files in temp dir

Hi Al,

I think that you have to define an output file:
$ tshark -i 2 -w output.cap

HTH
Joan

On Thu, 6 Nov 2008 10:39:32 -0700 Al Aghili wrote:
>Subject: [Wireshark-users] tshark creates files in temp dir
>
>Hi,
>When we run tshark on windows it sometimes creates these large files in
>Windows/temp directory that start with "ether". Is there a way to turn
>this off?
> 
>Thanks
>Al
> 
> 
>_______________________________________________
>Wireshark-users mailing list
>Wireshark-users@xxxxxxxxxxxxx
>https://wireshark.org/mailman/listinfo/wireshark-users


       


_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users



------------------------------

Message: 3
Date: Thu, 6 Nov 2008 14:39:25 -0700
From: Stephen Fisher <stephentfisher@xxxxxxxxx>
Subject: Re: [Wireshark-users] tshark creates files in temp dir
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <20081106213925.GA40586@shadow.local>
Content-Type: text/plain; charset=us-ascii

On Thu, Nov 06, 2008 at 10:39:32AM -0700, Al Aghili wrote:

> When we run tshark on windows it sometimes creates these large files 
> in Windows/temp directory that start with "ether". Is there a way to 
> turn this off?

These files are used for temporarily storing captured data for the 
session that you run tshark for.  They should be deleted when tshark is 
closed and able to quit gracefully.  They cannot be turned off.  What 
version of tshark/Wireshark are you using?  How are you stopping tshark?


Steve



------------------------------

Message: 4
Date: Thu, 6 Nov 2008 16:01:40 -0700
From: "Al Aghili" <aaghili@xxxxxxxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] tshark creates files in temp dir
To: "'Community support list for Wireshark'"
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <00c201c94063$a2dc8230$2602a8c0@AlDell01>
Content-Type: text/plain;	charset="us-ascii"

We're stopping it by killing the tshark process through a kill command
which I would think is not graceful. How do you recommend killing tshark
programmatically?

Thanks
Al

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Stephen
Fisher
Sent: Thursday, November 06, 2008 2:39 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] tshark creates files in temp dir

On Thu, Nov 06, 2008 at 10:39:32AM -0700, Al Aghili wrote:

> When we run tshark on windows it sometimes creates these large files 
> in Windows/temp directory that start with "ether". Is there a way to 
> turn this off?

These files are used for temporarily storing captured data for the 
session that you run tshark for.  They should be deleted when tshark is 
closed and able to quit gracefully.  They cannot be turned off.  What 
version of tshark/Wireshark are you using?  How are you stopping tshark?


Steve

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users



------------------------------

Message: 5
Date: Thu, 6 Nov 2008 16:24:58 -0700
From: Stephen Fisher <stephentfisher@xxxxxxxxx>
Subject: Re: [Wireshark-users] tshark creates files in temp dir
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <20081106232458.GA44378@shadow.local>
Content-Type: text/plain; charset=us-ascii

On Thu, Nov 06, 2008 at 04:01:40PM -0700, Al Aghili wrote:

> We're stopping it by killing the tshark process through a kill command 
> which I would think is not graceful. How do you recommend killing 
> tshark programmatically?

I assume you're using some sort of Unix?  In that case, SIGTERM (15), 
SIGINT (2) and SIGHUP (1) are caught and should result in a graceful 
shutdown of tshark.  A SIGKILL (9) is not catchable and forces tshark to 
quit immediately.  Which are you using?


Steve



------------------------------

Message: 6
Date: Thu, 6 Nov 2008 15:53:21 -0800
From: Guy Harris <guy@xxxxxxxxxxxx>
Subject: Re: [Wireshark-users] tshark creates files in temp dir
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <7EA5C406-16B1-4425-969B-87EC2FB1BFD3@xxxxxxxxxxxx>
Content-Type: text/plain; charset=WINDOWS-1252; format=flowed;
	delsp=yes


On Nov 6, 2008, at 9:39 AM, Al Aghili wrote:

> When we run tshark on windows it sometimes creates these large files  
> in Windows/temp directory that start with ?ether?. Is there a way to  
> turn this off?

Currently, no.  TShark runs dumpcap to do the traffic capture, and  
currently, if you run it without the "-w" flag, tells dumpcap to write  
to a temporary file, and reads from the temporary file.

At some point it should be changed to, in that case, have dumpcap  
write the packets on a pipe, and read from the pipe.

When you terminate TShark with ^C, then it should get rid of the  
file.  Is the problem that the file exists while the capture is being  
done (in which case there's currently nothing you can do to stop it),  
or that the file remains around after you terminate TShark?

------------------------------

Message: 7
Date: Thu, 6 Nov 2008 16:59:18 -0700
From: "Al Aghili" <aaghili@xxxxxxxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] tshark creates files in temp dir
To: "'Community support list for Wireshark'"
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <00c701c9406b$aeec7460$2602a8c0@AlDell01>
Content-Type: text/plain;	charset="us-ascii"

Guy,
I think we may have to manually delete the files after we kill the
tshark process. That was the problem I think. There were files left over
because we are killing the process programmatically (not ^C). 

In a high traffic environment these files tend to get very big. So your
solution to write the packets on a pipe might work best in the future.

At the same time if that increases the ram consumption then that's a
bigger problem because right now its on disk.

Thanks for the help.

Al

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Thursday, November 06, 2008 4:53 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] tshark creates files in temp dir


On Nov 6, 2008, at 9:39 AM, Al Aghili wrote:

> When we run tshark on windows it sometimes creates these large files  
> in Windows/temp directory that start with "ether". Is there a way to  
> turn this off?

Currently, no.  TShark runs dumpcap to do the traffic capture, and  
currently, if you run it without the "-w" flag, tells dumpcap to write  
to a temporary file, and reads from the temporary file.

At some point it should be changed to, in that case, have dumpcap  
write the packets on a pipe, and read from the pipe.

When you terminate TShark with ^C, then it should get rid of the  
file.  Is the problem that the file exists while the capture is being  
done (in which case there's currently nothing you can do to stop it),  
or that the file remains around after you terminate TShark?
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users



------------------------------

Message: 8
Date: Thu, 6 Nov 2008 17:13:14 -0700
From: "Ryan Zuidema" <Ryan.Zuidema@xxxxxxxxxxx>
Subject: Re: [Wireshark-users] Intermittent Performance Problems on
	Intranet
To: "'Community support list for Wireshark'"
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <000d01c9406d$a0661f70$e1325e50$@Zuidema@xxxxxxxxxxx>
Content-Type: text/plain; charset="us-ascii"

Spiro,

 

Yes that is exactly what Wireshark is good for, and for a beginner that is
an excellent place to start. You will want to capture off of a mirrored/span
port to begin with if possible. Running a live capture on the server could
use up more resources, and potentially give you a false reading. If you have
to capture on the server, you will need to run a simultaneous capture on an
affected client as well.

 

Take a capture and pay attention to the timing between request and response
from the server. 

 

Ryan Zuidema

 

 

 

From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Cyril Spiro
Sent: 2008-11-06 07:04
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] Intermittent Performance Problems on Intranet

 

Hi, I'm a newbie to Wireshark :)

 

Our users on our Intranet are stating that their Web Application can get
slow at times.  If we run Wireshark on the Web server can we use it to
determine if the packets are being slowed down once they have gotten in the
Web server (ie, slow database calls, etc.) versus outside of the Web server
on the network?

 

Thanks,

spiroc 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.wireshark.org/lists/wireshark-users/attachments/20081106/7832f296
/attachment.htm 

------------------------------

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users


End of Wireshark-users Digest, Vol 30, Issue 11
***********************************************

Attachment: TCP Stream 2398.doc
Description: MS-Word document