Wireshark-users: Re: [Wireshark-users] Intermittent Performance Problems

From: "Cyril Spiro" <spiroc@xxxxxxxxxxxxxxx>
Date: Tue, 11 Nov 2008 21:21:57 -0500
First of all, thanks to those who responded to my last post.  The answers
were very helpful in educating me on interpreting the wireshark output.

The last example was a random sample of a tcp stream which indicated a 1.3
second duration from SYN to FIN ACK, with about 50% of the time used for
server processes and 50% for transporting data via the network.  These
durations were within tolerable limits.

In this new attached example, the user pointed us to a specific incident
which took 5 seconds between the time that he clicked the submit button on
the webpage and the screen refreshed.  We confirmed the user's statement
with the wireshark output.  The question is why?

Can anyone see from the attached report what could have caused the delay?
Note, that this capture was exclusively for data between the users PC and
the server.  We have the full tcpdump file for the day for the users PC, but
it is very large (33MB).  

Also, please note that when the user submitted data in the same html form at
different times of the day the duration was consistently significantly
shorter (<1s) and within tolerable limits.  So, it appears that something
unique happened during the attached example.

In summary, users are complaining that this intermittent slowness is
frustrating to them and the attached example is a rare glimpse into one of
these events.  The most important question to answer at this time is can we
tell if the delay is being caused by the server or by the network?

Thanks in advance for your help,
spiroc
 

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of
wireshark-users-request@xxxxxxxxxxxxx
Sent: Monday, November 10, 2008 5:42 AM
To: wireshark-users@xxxxxxxxxxxxx
Subject: Wireshark-users Digest, Vol 30, Issue 17

Send Wireshark-users mailing list submissions to
	wireshark-users@xxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
	https://wireshark.org/mailman/listinfo/wireshark-users
or, via email, send a message with subject or body 'help' to
	wireshark-users-request@xxxxxxxxxxxxx

You can reach the person managing the list at
	wireshark-users-owner@xxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wireshark-users digest..."


Today's Topics:

   1. Not need to save packet data (Adisak)
   2. Re: Not need to save packet data (j.snelders@xxxxxxxxxx)
   3. Re: Intermittent Performance Problems on (Martin Visser)
   4. Re: Not need to save packet data (Jaap Keuter)


----------------------------------------------------------------------

Message: 1
Date: Mon, 10 Nov 2008 08:34:32 +0700
From: "Adisak" <adisak@xxxxxxxxxxx>
Subject: [Wireshark-users] Not need to save packet data
To: "'Community support list for Wireshark'"
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <200811100136.mAA1aMBV026303@xxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="us-ascii"

Hi all, 

I'm very new for Wireshark.

 

I've download and used Wireshark on a few day ago. 

I'll use Wireshark in my company for check the traffic of proxy server.

But, I'd like to collect only Time, IP address both source and Destination,
Protocol type and information only.

Not need to save packet data, Because log file will growth big in a shortly
time.

I've try to setting Wireshark for from 2 days ago but I can't.

Anyone have an idea for my question? 

 

P.S. I used Wireshark on windows.

 

Best Regards,

Adisak

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.wireshark.org/lists/wireshark-users/attachments/20081110/ee6f18e8
/attachment.html 

------------------------------

Message: 2
Date: Mon, 10 Nov 2008 06:20:26 +0100
From: j.snelders@xxxxxxxxxx
Subject: Re: [Wireshark-users] Not need to save packet data
To: adisak@xxxxxxxxxxx,	"Community support list for Wireshark"
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <481B206B000A3AFE@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="US-ASCII"

Hi Adisak,

You can use the option: Limit each packet to 68 bytes.
You'll find it at 
Capture -> Capture Options

Thanks
Joan

>To: "'Community support list for Wireshark'"
<wireshark-users@xxxxxxxxxxxxx>
On Mon, 10 Nov 2008 08:34:32 +0700 Adisak Wrote:
>Hi all, 
>
>I'm very new for Wireshark.
>
> 
>
>I've download and used Wireshark on a few day ago. 
>
>I'll use Wireshark in my company for check the traffic of proxy server.
>
>But, I'd like to collect only Time, IP address both source and Destination,
>Protocol type and information only.
>
>Not need to save packet data, Because log file will growth big in a shortly
>time.
>
>I've try to setting Wireshark for from 2 days ago but I can't.
>
>Anyone have an idea for my question? 
>
> 
>
>P.S. I used Wireshark on windows.
>
> 
>
>Best Regards,
>
>Adisak
>
> 
>
>_______________________________________________
>Wireshark-users mailing list
>Wireshark-users@xxxxxxxxxxxxx
>https://wireshark.org/mailman/listinfo/wireshark-users


       




------------------------------

Message: 3
Date: Mon, 10 Nov 2008 16:30:21 +1100
From: "Martin Visser" <martinvisser99@xxxxxxxxx>
Subject: Re: [Wireshark-users] Intermittent Performance Problems on
To: "Community support list for Wireshark"
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID:
	<b3739b0c0811092130s45347b93va3d53d24f51f044b@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=UTF-8

Cyril,

Rather than sending the text output, it is probably more useful to
send the pcap capture file (unless you have private data you need to
obscure)

Only seeing one side makes it a little hard (make sure filter includes
client and server as both source and destination), however what can be
gleaned is :-

1. The connection response (3-way handshake SYN/SYN-ACK/ACK) is 1.4ms
(packet 1822-1821). This indicates your server is physically close and
the TCP stack is responsive
2. Your client issued a HTTP GET straight after (packet 1823) and then
ACKed the first bytes from the server response in less then 594ms
(packet 1839 - 1823). More that likely your server won't start sending
data until it has finished the backend database server transaction,
but that is totally dependent on how you web app is built. So it is
likely this is your server processing time
3. You received the last byte from that stream sometime before packet
1873. Thus time from first byte to last byte received is approximately
665ms. This is the time of flight of your received data. The ACKs show
that your received 56152 bytes in that time, thus your throughput was
84430 Bps or 675Kbps. This may be good or bad depending on your
network pipe between client and servers and how much concurrent usage
occurred.

So for your transaction I would conclude around half of the time was
backend processing (the 594ms) and half simply filling the available
pipe with your data (the 665ms)


(Note at packet 95288 your reused the TCP port 2398 some hours later -
so this is from another session to the first)


Regards, Martin


On Mon, Nov 10, 2008 at 1:04 AM, Cyril Spiro <spiroc@xxxxxxxxxxxxxxx> wrote:
> Ryan,
>
> Thank you for your response.
>
> I have followed your recommendation and taken a snap shot of one TCP
stream
> during a period when the users stated the intranet-based web application
was
> slow.
>
> Attached is a sample of one TCP Stream which took 1.3 seconds.  I provide
> this as an example for assistance in interpreting the Wireshark results.
>
> What surprised me is that all packets indicate communication from
> 192.168.0.221 (client) to 192.168.0.150 (server) and none in the other
> direction.
>
> Again, our goal is to know if this screen rendering took 1.3 seconds
because
> the server was busy processing the request (database calls, etc.) or if
the
> network was jammed outside of the server.
>
> Any insight that you can provide on how to read the results in order to
> answer this question is much appreciated.
>
> spiroc
>
>
>
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of
> wireshark-users-request@xxxxxxxxxxxxx
> Sent: Thursday, November 06, 2008 7:12 PM
> To: wireshark-users@xxxxxxxxxxxxx
> Subject: Wireshark-users Digest, Vol 30, Issue 11
>
> Send Wireshark-users mailing list submissions to
>        wireshark-users@xxxxxxxxxxxxx
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://wireshark.org/mailman/listinfo/wireshark-users
> or, via email, send a message with subject or body 'help' to
>        wireshark-users-request@xxxxxxxxxxxxx
>
> You can reach the person managing the list at
>        wireshark-users-owner@xxxxxxxxxxxxx
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Wireshark-users digest..."
>
>
> Today's Topics:
>
>   1. Re: tshark creates files in temp dir (j.snelders@xxxxxxxxxx)
>   2. Re: tshark creates files in temp dir (Al Aghili)
>   3. Re: tshark creates files in temp dir (Stephen Fisher)
>   4. Re: tshark creates files in temp dir (Al Aghili)
>   5. Re: tshark creates files in temp dir (Stephen Fisher)
>   6. Re: tshark creates files in temp dir (Guy Harris)
>   7. Re: tshark creates files in temp dir (Al Aghili)
>   8. Re: Intermittent Performance Problems on Intranet (Ryan Zuidema)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 6 Nov 2008 21:26:45 +0100
> From: j.snelders@xxxxxxxxxx
> Subject: Re: [Wireshark-users] tshark creates files in temp dir
> To: "Community support list for Wireshark"
>        <wireshark-users@xxxxxxxxxxxxx>
> Message-ID: <481B3765000A0AD6@xxxxxxxxxxxxxxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="US-ASCII"
>
> Hi Al,
>
> I think that you have to define an output file:
> $ tshark -i 2 -w output.cap
>
> HTH
> Joan
>
> On Thu, 6 Nov 2008 10:39:32 -0700 Al Aghili wrote:
>>Subject: [Wireshark-users] tshark creates files in temp dir
>>
>>Hi,
>>When we run tshark on windows it sometimes creates these large files in
>>Windows/temp directory that start with "ether". Is there a way to turn
>>this off?
>>
>>Thanks
>>Al
>>
>>
>>_______________________________________________
>>Wireshark-users mailing list
>>Wireshark-users@xxxxxxxxxxxxx
>>https://wireshark.org/mailman/listinfo/wireshark-users
>
>
>
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 6 Nov 2008 14:08:19 -0700
> From: "Al Aghili" <aaghili@xxxxxxxxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] tshark creates files in temp dir
> To: "'Community support list for Wireshark'"
>        <wireshark-users@xxxxxxxxxxxxx>
> Message-ID: <00b601c94053$cf285540$2602a8c0@AlDell01>
> Content-Type: text/plain;       charset="us-ascii"
>
> Hi,
> We're running tshark with the following command.
> tshark -i 2 -V -l
>
> Then we read the standard out so we don't want to create an output file.
>
>
> Thanks
> Al
>
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of
> j.snelders@xxxxxxxxxx
> Sent: Thursday, November 06, 2008 1:27 PM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] tshark creates files in temp dir
>
> Hi Al,
>
> I think that you have to define an output file:
> $ tshark -i 2 -w output.cap
>
> HTH
> Joan
>
> On Thu, 6 Nov 2008 10:39:32 -0700 Al Aghili wrote:
>>Subject: [Wireshark-users] tshark creates files in temp dir
>>
>>Hi,
>>When we run tshark on windows it sometimes creates these large files in
>>Windows/temp directory that start with "ether". Is there a way to turn
>>this off?
>>
>>Thanks
>>Al
>>
>>
>>_______________________________________________
>>Wireshark-users mailing list
>>Wireshark-users@xxxxxxxxxxxxx
>>https://wireshark.org/mailman/listinfo/wireshark-users
>
>
>
>
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 6 Nov 2008 14:39:25 -0700
> From: Stephen Fisher <stephentfisher@xxxxxxxxx>
> Subject: Re: [Wireshark-users] tshark creates files in temp dir
> To: Community support list for Wireshark
>        <wireshark-users@xxxxxxxxxxxxx>
> Message-ID: <[email protected]>
> Content-Type: text/plain; charset=us-ascii
>
> On Thu, Nov 06, 2008 at 10:39:32AM -0700, Al Aghili wrote:
>
>> When we run tshark on windows it sometimes creates these large files
>> in Windows/temp directory that start with "ether". Is there a way to
>> turn this off?
>
> These files are used for temporarily storing captured data for the
> session that you run tshark for.  They should be deleted when tshark is
> closed and able to quit gracefully.  They cannot be turned off.  What
> version of tshark/Wireshark are you using?  How are you stopping tshark?
>
>
> Steve
>
>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 6 Nov 2008 16:01:40 -0700
> From: "Al Aghili" <aaghili@xxxxxxxxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] tshark creates files in temp dir
> To: "'Community support list for Wireshark'"
>        <wireshark-users@xxxxxxxxxxxxx>
> Message-ID: <00c201c94063$a2dc8230$2602a8c0@AlDell01>
> Content-Type: text/plain;       charset="us-ascii"
>
> We're stopping it by killing the tshark process through a kill command
> which I would think is not graceful. How do you recommend killing tshark
> programmatically?
>
> Thanks
> Al
>
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Stephen
> Fisher
> Sent: Thursday, November 06, 2008 2:39 PM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] tshark creates files in temp dir
>
> On Thu, Nov 06, 2008 at 10:39:32AM -0700, Al Aghili wrote:
>
>> When we run tshark on windows it sometimes creates these large files
>> in Windows/temp directory that start with "ether". Is there a way to
>> turn this off?
>
> These files are used for temporarily storing captured data for the
> session that you run tshark for.  They should be deleted when tshark is
> closed and able to quit gracefully.  They cannot be turned off.  What
> version of tshark/Wireshark are you using?  How are you stopping tshark?
>
>
> Steve
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 6 Nov 2008 16:24:58 -0700
> From: Stephen Fisher <stephentfisher@xxxxxxxxx>
> Subject: Re: [Wireshark-users] tshark creates files in temp dir
> To: Community support list for Wireshark
>        <wireshark-users@xxxxxxxxxxxxx>
> Message-ID: <[email protected]>
> Content-Type: text/plain; charset=us-ascii
>
> On Thu, Nov 06, 2008 at 04:01:40PM -0700, Al Aghili wrote:
>
>> We're stopping it by killing the tshark process through a kill command
>> which I would think is not graceful. How do you recommend killing
>> tshark programmatically?
>
> I assume you're using some sort of Unix?  In that case, SIGTERM (15),
> SIGINT (2) and SIGHUP (1) are caught and should result in a graceful
> shutdown of tshark.  A SIGKILL (9) is not catchable and forces tshark to
> quit immediately.  Which are you using?
>
>
> Steve
>
>
>
> ------------------------------
>
> Message: 6
> Date: Thu, 6 Nov 2008 15:53:21 -0800
> From: Guy Harris <guy@xxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] tshark creates files in temp dir
> To: Community support list for Wireshark
>        <wireshark-users@xxxxxxxxxxxxx>
> Message-ID: <7EA5C406-16B1-4425-969B-87EC2FB1BFD3@xxxxxxxxxxxx>
> Content-Type: text/plain; charset=WINDOWS-1252; format=flowed;
>        delsp=yes
>
>
> On Nov 6, 2008, at 9:39 AM, Al Aghili wrote:
>
>> When we run tshark on windows it sometimes creates these large files
>> in Windows/temp directory that start with ?ether?. Is there a way to
>> turn this off?
>
> Currently, no.  TShark runs dumpcap to do the traffic capture, and
> currently, if you run it without the "-w" flag, tells dumpcap to write
> to a temporary file, and reads from the temporary file.
>
> At some point it should be changed to, in that case, have dumpcap
> write the packets on a pipe, and read from the pipe.
>
> When you terminate TShark with ^C, then it should get rid of the
> file.  Is the problem that the file exists while the capture is being
> done (in which case there's currently nothing you can do to stop it),
> or that the file remains around after you terminate TShark?
>
> ------------------------------
>
> Message: 7
> Date: Thu, 6 Nov 2008 16:59:18 -0700
> From: "Al Aghili" <aaghili@xxxxxxxxxxxxxxxxxx>
> Subject: Re: [Wireshark-users] tshark creates files in temp dir
> To: "'Community support list for Wireshark'"
>        <wireshark-users@xxxxxxxxxxxxx>
> Message-ID: <00c701c9406b$aeec7460$2602a8c0@AlDell01>
> Content-Type: text/plain;       charset="us-ascii"
>
> Guy,
> I think we may have to manually delete the files after we kill the
> tshark process. That was the problem I think. There were files left over
> because we are killing the process programmatically (not ^C).
>
> In a high traffic environment these files tend to get very big. So your
> solution to write the packets on a pipe might work best in the future.
>
> At the same time if that increases the ram consumption then that's a
> bigger problem because right now its on disk.
>
> Thanks for the help.
>
> Al
>
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
> Sent: Thursday, November 06, 2008 4:53 PM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] tshark creates files in temp dir
>
>
> On Nov 6, 2008, at 9:39 AM, Al Aghili wrote:
>
>> When we run tshark on windows it sometimes creates these large files
>> in Windows/temp directory that start with "ether". Is there a way to
>> turn this off?
>
> Currently, no.  TShark runs dumpcap to do the traffic capture, and
> currently, if you run it without the "-w" flag, tells dumpcap to write
> to a temporary file, and reads from the temporary file.
>
> At some point it should be changed to, in that case, have dumpcap
> write the packets on a pipe, and read from the pipe.
>
> When you terminate TShark with ^C, then it should get rid of the
> file.  Is the problem that the file exists while the capture is being
> done (in which case there's currently nothing you can do to stop it),
> or that the file remains around after you terminate TShark?
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>
>
> ------------------------------
>
> Message: 8
> Date: Thu, 6 Nov 2008 17:13:14 -0700
> From: "Ryan Zuidema" <Ryan.Zuidema@xxxxxxxxxxx>
> Subject: Re: [Wireshark-users] Intermittent Performance Problems on
>        Intranet
> To: "'Community support list for Wireshark'"
>        <wireshark-users@xxxxxxxxxxxxx>
> Message-ID: <000d01c9406d$a0661f70$e1325e50$@Zuidema@xxxxxxxxxxx>
> Content-Type: text/plain; charset="us-ascii"
>
> Spiro,
>
>
>
> Yes that is exactly what Wireshark is good for, and for a beginner that is
> an excellent place to start. You will want to capture off of a
mirrored/span
> port to begin with if possible. Running a live capture on the server could
> use up more resources, and potentially give you a false reading. If you
have
> to capture on the server, you will need to run a simultaneous capture on
an
> affected client as well.
>
>
>
> Take a capture and pay attention to the timing between request and
response
> from the server.
>
>
>
> Ryan Zuidema
>
>
>
>
>
>
>
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Cyril Spiro
> Sent: 2008-11-06 07:04
> To: wireshark-users@xxxxxxxxxxxxx
> Subject: [Wireshark-users] Intermittent Performance Problems on Intranet
>
>
>
> Hi, I'm a newbie to Wireshark :)
>
>
>
> Our users on our Intranet are stating that their Web Application can get
> slow at times.  If we run Wireshark on the Web server can we use it to
> determine if the packets are being slowed down once they have gotten in
the
> Web server (ie, slow database calls, etc.) versus outside of the Web
server
> on the network?
>
>
>
> Thanks,
>
> spiroc
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
>
http://www.wireshark.org/lists/wireshark-users/attachments/20081106/7832f296
> /attachment.htm
>
> ------------------------------
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>
> End of Wireshark-users Digest, Vol 30, Issue 11
> ***********************************************
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>



-- 
Regards, Martin

MartinVisser99@xxxxxxxxx


------------------------------

Message: 4
Date: Mon, 10 Nov 2008 10:33:58 +0000
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Subject: Re: [Wireshark-users] Not need to save packet data
To: "adisak@xxxxxxxxxxx" <adisak@xxxxxxxxxxx>,	Community support list
	for Wireshark <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <3B15585E-4FAD-4399-ADF9-A4C85A46D86F@xxxxxxxxx>
Content-Type: text/plain; charset="utf-8"

Hi,

Since Wireshark is intended for deep level packet inspection this may  
not be the right tool for you. Have a look at the tools page on the  
wiki, for instance at ntop.

Thanx,
Jaap

Sent from my iPhone

On 10 nov 2008, at 01:34, "Adisak" <adisak@xxxxxxxxxxx> wrote:

> Hi all,
>
> I?m very new for Wireshark.
>
>
>
> I?ve download and used Wireshark on a few day ago.
>
> I?ll use Wireshark in my company for check the traffic of proxy serv 
> er.
>
> But, I?d like to collect only Time, IP address both source and Desti 
> nation, Protocol type and information only.
>
> Not need to save packet data, Because log file will growth big in a  
> shortly time.
>
> I?ve try to setting Wireshark for from 2 days ago but I can?t.
>
> Anyone have an idea for my question?
>
>
>
> P.S. I used Wireshark on windows.
>
>
>
> Best Regards,
>
> Adisak
>
>
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.wireshark.org/lists/wireshark-users/attachments/20081110/2e610c78
/attachment.htm 

------------------------------

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users


End of Wireshark-users Digest, Vol 30, Issue 17
***********************************************
[ Contents removed ]