Wireshark-users: Re: [Wireshark-users] Intermittent Performance Problems on

From: "Martin Visser" <martinvisser99@xxxxxxxxx>
Date: Mon, 10 Nov 2008 16:30:21 +1100
Cyril,

Rather than sending the text output, it is probably more useful to
send the pcap capture file (unless you have private data you need to
obscure)

Only seeing one side makes it a little hard (make sure filter includes
client and server as both source and destination), however what can be
gleaned is :-

1. The connection response (3-way handshake SYN/SYN-ACK/ACK) is 1.4ms
(packet 1822-1821). This indicates your server is physically close and
the TCP stack is responsive
2. Your client issued a HTTP GET straight after (packet 1823) and then
ACKed the first bytes from the server response in less then 594ms
(packet 1839 - 1823). More that likely your server won't start sending
data until it has finished the backend database server transaction,
but that is totally dependent on how you web app is built. So it is
likely this is your server processing time
3. You received the last byte from that stream sometime before packet
1873. Thus time from first byte to last byte received is approximately
665ms. This is the time of flight of your received data. The ACKs show
that your received 56152 bytes in that time, thus your throughput was
84430 Bps or 675Kbps. This may be good or bad depending on your
network pipe between client and servers and how much concurrent usage
occurred.

So for your transaction I would conclude around half of the time was
backend processing (the 594ms) and half simply filling the available
pipe with your data (the 665ms)


(Note at packet 95288 your reused the TCP port 2398 some hours later -
so this is from another session to the first)


Regards, Martin


On Mon, Nov 10, 2008 at 1:04 AM, Cyril Spiro <spiroc@xxxxxxxxxxxxxxx> wrote:
> Ryan,
>
> Thank you for your response.
>
> I have followed your recommendation and taken a snap shot of one TCP stream
> during a period when the users stated the intranet-based web application was
> slow.
>
> Attached is a sample of one TCP Stream which took 1.3 seconds.  I provide
> this as an example for assistance in interpreting the Wireshark results.
>
> What surprised me is that all packets indicate communication from
> 192.168.0.221 (client) to 192.168.0.150 (server) and none in the other
> direction.
>
> Again, our goal is to know if this screen rendering took 1.3 seconds because
> the server was busy processing the request (database calls, etc.) or if the
> network was jammed outside of the server.
>
> Any insight that you can provide on how to read the results in order to
> answer this question is much appreciated.
>
> spiroc
>
>
>
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of
> wireshark-users-request@xxxxxxxxxxxxx
> Sent: Thursday, November 06, 2008 7:12 PM
> To: wireshark-users@xxxxxxxxxxxxx
> Subject: Wireshark-users Digest, Vol 30, Issue 11
>
> Send Wireshark-users mailing list submissions to
>        wireshark-users@xxxxxxxxxxxxx
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://wireshark.org/mailman/listinfo/wireshark-users
> or, via email, send a message with subject or body 'help' to
>        wireshark-users-request@xxxxxxxxxxxxx
>
> You can reach the person managing the list at
>        wireshark-users-owner@xxxxxxxxxxxxx
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Wireshark-users digest..."
>
>
> Today's Topics:
>
>   1. Re: tshark creates files in temp dir (j.snelders@xxxxxxxxxx)
>   2. Re: tshark creates files in temp dir (Al Aghili)
>   3. Re: tshark creates files in temp dir (Stephen Fisher)
>   4. Re: tshark creates files in temp dir (Al Aghili)
>   5. Re: tshark creates files in temp dir (Stephen Fisher)
>   6. Re: tshark creates files in temp dir (Guy Harris)
>   7. Re: tshark creates files in temp dir (Al Aghili)
>   8. Re: Intermittent Performance Problems on Intranet (Ryan Zuidema)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 6 Nov 2008 21:26:45 +0100
> From: j.snelders@xxxxxxxxxx
> Subject: Re: [Wireshark-users] tshark creates files in temp dir
> To: "Community support list for Wireshark"
>        <wireshark-users@xxxxxxxxxxxxx>
> Message-ID: <481B3765000A0AD6@xxxxxxxxxxxxxxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="US-ASCII"
>
> Hi Al,
>
> I think that you have to define an output file:
> $ tshark -i 2 -w output.cap
>
> HTH
> Joan
>
> On Thu, 6 Nov 2008 10:39:32 -0700 Al Aghili wrote:
>>Subject: [Wireshark-users] tshark creates files in temp dir
>>
>>Hi,
>>When we run tshark on windows it sometimes creates these large files in
>>Windows/temp directory that start with "ether". Is there a way to turn
>>this off?
>>
>>Thanks
>>Al
>>
>>
>>_______________________________________________
>>Wireshark-users mailing list
>>Wireshark-users@xxxxxxxxxxxxx
>>https://wireshark.org/mailman/listinfo/wireshark-users
>
>
>
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 6 Nov 2008 14:08:19 -0700
> From: "Al Aghili" <aaghili@xxxxxxxxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] tshark creates files in temp dir
> To: "'Community support list for Wireshark'"
>        <wireshark-users@xxxxxxxxxxxxx>
> Message-ID: <00b601c94053$cf285540$2602a8c0@AlDell01>
> Content-Type: text/plain;       charset="us-ascii"
>
> Hi,
> We're running tshark with the following command.
> tshark -i 2 -V -l
>
> Then we read the standard out so we don't want to create an output file.
>
>
> Thanks
> Al
>
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of
> j.snelders@xxxxxxxxxx
> Sent: Thursday, November 06, 2008 1:27 PM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] tshark creates files in temp dir
>
> Hi Al,
>
> I think that you have to define an output file:
> $ tshark -i 2 -w output.cap
>
> HTH
> Joan
>
> On Thu, 6 Nov 2008 10:39:32 -0700 Al Aghili wrote:
>>Subject: [Wireshark-users] tshark creates files in temp dir
>>
>>Hi,
>>When we run tshark on windows it sometimes creates these large files in
>>Windows/temp directory that start with "ether". Is there a way to turn
>>this off?
>>
>>Thanks
>>Al
>>
>>
>>_______________________________________________
>>Wireshark-users mailing list
>>Wireshark-users@xxxxxxxxxxxxx
>>https://wireshark.org/mailman/listinfo/wireshark-users
>
>
>
>
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 6 Nov 2008 14:39:25 -0700
> From: Stephen Fisher <stephentfisher@xxxxxxxxx>
> Subject: Re: [Wireshark-users] tshark creates files in temp dir
> To: Community support list for Wireshark
>        <wireshark-users@xxxxxxxxxxxxx>
> Message-ID: <[email protected]>
> Content-Type: text/plain; charset=us-ascii
>
> On Thu, Nov 06, 2008 at 10:39:32AM -0700, Al Aghili wrote:
>
>> When we run tshark on windows it sometimes creates these large files
>> in Windows/temp directory that start with "ether". Is there a way to
>> turn this off?
>
> These files are used for temporarily storing captured data for the
> session that you run tshark for.  They should be deleted when tshark is
> closed and able to quit gracefully.  They cannot be turned off.  What
> version of tshark/Wireshark are you using?  How are you stopping tshark?
>
>
> Steve
>
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 6 Nov 2008 16:01:40 -0700
> From: "Al Aghili" <aaghili@xxxxxxxxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] tshark creates files in temp dir
> To: "'Community support list for Wireshark'"
>        <wireshark-users@xxxxxxxxxxxxx>
> Message-ID: <00c201c94063$a2dc8230$2602a8c0@AlDell01>
> Content-Type: text/plain;       charset="us-ascii"
>
> We're stopping it by killing the tshark process through a kill command
> which I would think is not graceful. How do you recommend killing tshark
> programmatically?
>
> Thanks
> Al
>
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Stephen
> Fisher
> Sent: Thursday, November 06, 2008 2:39 PM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] tshark creates files in temp dir
>
> On Thu, Nov 06, 2008 at 10:39:32AM -0700, Al Aghili wrote:
>
>> When we run tshark on windows it sometimes creates these large files
>> in Windows/temp directory that start with "ether". Is there a way to
>> turn this off?
>
> These files are used for temporarily storing captured data for the
> session that you run tshark for.  They should be deleted when tshark is
> closed and able to quit gracefully.  They cannot be turned off.  What
> version of tshark/Wireshark are you using?  How are you stopping tshark?
>
>
> Steve
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 6 Nov 2008 16:24:58 -0700
> From: Stephen Fisher <stephentfisher@xxxxxxxxx>
> Subject: Re: [Wireshark-users] tshark creates files in temp dir
> To: Community support list for Wireshark
>        <wireshark-users@xxxxxxxxxxxxx>
> Message-ID: <[email protected]>
> Content-Type: text/plain; charset=us-ascii
>
> On Thu, Nov 06, 2008 at 04:01:40PM -0700, Al Aghili wrote:
>
>> We're stopping it by killing the tshark process through a kill command
>> which I would think is not graceful. How do you recommend killing
>> tshark programmatically?
>
> I assume you're using some sort of Unix?  In that case, SIGTERM (15),
> SIGINT (2) and SIGHUP (1) are caught and should result in a graceful
> shutdown of tshark.  A SIGKILL (9) is not catchable and forces tshark to
> quit immediately.  Which are you using?
>
>
> Steve
>
>
>
> ------------------------------
>
> Message: 6
> Date: Thu, 6 Nov 2008 15:53:21 -0800
> From: Guy Harris <guy@xxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] tshark creates files in temp dir
> To: Community support list for Wireshark
>        <wireshark-users@xxxxxxxxxxxxx>
> Message-ID: <7EA5C406-16B1-4425-969B-87EC2FB1BFD3@xxxxxxxxxxxx>
> Content-Type: text/plain; charset=WINDOWS-1252; format=flowed;
>        delsp=yes
>
>
> On Nov 6, 2008, at 9:39 AM, Al Aghili wrote:
>
>> When we run tshark on windows it sometimes creates these large files
>> in Windows/temp directory that start with ?ether?. Is there a way to
>> turn this off?
>
> Currently, no.  TShark runs dumpcap to do the traffic capture, and
> currently, if you run it without the "-w" flag, tells dumpcap to write
> to a temporary file, and reads from the temporary file.
>
> At some point it should be changed to, in that case, have dumpcap
> write the packets on a pipe, and read from the pipe.
>
> When you terminate TShark with ^C, then it should get rid of the
> file.  Is the problem that the file exists while the capture is being
> done (in which case there's currently nothing you can do to stop it),
> or that the file remains around after you terminate TShark?
>
> ------------------------------
>
> Message: 7
> Date: Thu, 6 Nov 2008 16:59:18 -0700
> From: "Al Aghili" <aaghili@xxxxxxxxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] tshark creates files in temp dir
> To: "'Community support list for Wireshark'"
>        <wireshark-users@xxxxxxxxxxxxx>
> Message-ID: <00c701c9406b$aeec7460$2602a8c0@AlDell01>
> Content-Type: text/plain;       charset="us-ascii"
>
> Guy,
> I think we may have to manually delete the files after we kill the
> tshark process. That was the problem I think. There were files left over
> because we are killing the process programmatically (not ^C).
>
> In a high traffic environment these files tend to get very big. So your
> solution to write the packets on a pipe might work best in the future.
>
> At the same time if that increases the ram consumption then that's a
> bigger problem because right now its on disk.
>
> Thanks for the help.
>
> Al
>
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
> Sent: Thursday, November 06, 2008 4:53 PM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] tshark creates files in temp dir
>
>
> On Nov 6, 2008, at 9:39 AM, Al Aghili wrote:
>
>> When we run tshark on windows it sometimes creates these large files
>> in Windows/temp directory that start with "ether". Is there a way to
>> turn this off?
>
> Currently, no.  TShark runs dumpcap to do the traffic capture, and
> currently, if you run it without the "-w" flag, tells dumpcap to write
> to a temporary file, and reads from the temporary file.
>
> At some point it should be changed to, in that case, have dumpcap
> write the packets on a pipe, and read from the pipe.
>
> When you terminate TShark with ^C, then it should get rid of the
> file.  Is the problem that the file exists while the capture is being
> done (in which case there's currently nothing you can do to stop it),
> or that the file remains around after you terminate TShark?
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>
>
> ------------------------------
>
> Message: 8
> Date: Thu, 6 Nov 2008 17:13:14 -0700
> From: "Ryan Zuidema" <Ryan.Zuidema@xxxxxxxxxxx>
> Subject: Re: [Wireshark-users] Intermittent Performance Problems on
>        Intranet
> To: "'Community support list for Wireshark'"
>        <wireshark-users@xxxxxxxxxxxxx>
> Message-ID: <000d01c9406d$a0661f70$e1325e50$@Zuidema@xxxxxxxxxxx>
> Content-Type: text/plain; charset="us-ascii"
>
> Spiro,
>
>
>
> Yes that is exactly what Wireshark is good for, and for a beginner that is
> an excellent place to start. You will want to capture off of a mirrored/span
> port to begin with if possible. Running a live capture on the server could
> use up more resources, and potentially give you a false reading. If you have
> to capture on the server, you will need to run a simultaneous capture on an
> affected client as well.
>
>
>
> Take a capture and pay attention to the timing between request and response
> from the server.
>
>
>
> Ryan Zuidema
>
>
>
>
>
>
>
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Cyril Spiro
> Sent: 2008-11-06 07:04
> To: wireshark-users@xxxxxxxxxxxxx
> Subject: [Wireshark-users] Intermittent Performance Problems on Intranet
>
>
>
> Hi, I'm a newbie to Wireshark :)
>
>
>
> Our users on our Intranet are stating that their Web Application can get
> slow at times.  If we run Wireshark on the Web server can we use it to
> determine if the packets are being slowed down once they have gotten in the
> Web server (ie, slow database calls, etc.) versus outside of the Web server
> on the network?
>
>
>
> Thanks,
>
> spiroc
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://www.wireshark.org/lists/wireshark-users/attachments/20081106/7832f296
> /attachment.htm
>
> ------------------------------
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>
> End of Wireshark-users Digest, Vol 30, Issue 11
> ***********************************************
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>



-- 
Regards, Martin

MartinVisser99@xxxxxxxxx