Wireshark-users: Re: [Wireshark-users] Intermittent Performance Problems
From: "Cyril Spiro" <spiroc@xxxxxxxxxxxxxxx>
Date: Tue, 11 Nov 2008 21:21:57 -0500
First of all, thanks to those who responded to my last post. The answers were very helpful in educating me on interpreting the wireshark output. The last example was a random sample of a tcp stream which indicated a 1.3 second duration from SYN to FIN ACK, with about 50% of the time used for server processes and 50% for transporting data via the network. These durations were within tolerable limits. In this new attached example, the user pointed us to a specific incident which took 5 seconds between the time that he clicked the submit button on the webpage and the screen refreshed. We confirmed the user's statement with the wireshark output. The question is why? Can anyone see from the attached report what could have caused the delay? Note, that this capture was exclusively for data between the users PC and the server. We have the full tcpdump file for the day for the users PC, but it is very large (33MB). Also, please note that when the user submitted data in the same html form at different times of the day the duration was consistently significantly shorter (<1s) and within tolerable limits. So, it appears that something unique happened during the attached example. In summary, users are complaining that this intermittent slowness is frustrating to them and the attached example is a rare glimpse into one of these events. The most important question to answer at this time is can we tell if the delay is being caused by the server or by the network? Thanks in advance for your help, spiroc -----Original Message----- From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of wireshark-users-request@xxxxxxxxxxxxx Sent: Monday, November 10, 2008 5:42 AM To: wireshark-users@xxxxxxxxxxxxx Subject: Wireshark-users Digest, Vol 30, Issue 17 Send Wireshark-users mailing list submissions to wireshark-users@xxxxxxxxxxxxx To subscribe or unsubscribe via the World Wide Web, visit https://wireshark.org/mailman/listinfo/wireshark-users or, via email, send a message with subject or body 'help' to wireshark-users-request@xxxxxxxxxxxxx You can reach the person managing the list at wireshark-users-owner@xxxxxxxxxxxxx When replying, please edit your Subject line so it is more specific than "Re: Contents of Wireshark-users digest..." Today's Topics: 1. Not need to save packet data (Adisak) 2. Re: Not need to save packet data (j.snelders@xxxxxxxxxx) 3. Re: Intermittent Performance Problems on (Martin Visser) 4. Re: Not need to save packet data (Jaap Keuter) ---------------------------------------------------------------------- Message: 1 Date: Mon, 10 Nov 2008 08:34:32 +0700 From: "Adisak" <adisak@xxxxxxxxxxx> Subject: [Wireshark-users] Not need to save packet data To: "'Community support list for Wireshark'" <wireshark-users@xxxxxxxxxxxxx> Message-ID: <200811100136.mAA1aMBV026303@xxxxxxxxxxxxxxx> Content-Type: text/plain; charset="us-ascii" Hi all, I'm very new for Wireshark. I've download and used Wireshark on a few day ago. I'll use Wireshark in my company for check the traffic of proxy server. But, I'd like to collect only Time, IP address both source and Destination, Protocol type and information only. Not need to save packet data, Because log file will growth big in a shortly time. I've try to setting Wireshark for from 2 days ago but I can't. Anyone have an idea for my question? P.S. I used Wireshark on windows. Best Regards, Adisak -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.wireshark.org/lists/wireshark-users/attachments/20081110/ee6f18e8 /attachment.html ------------------------------ Message: 2 Date: Mon, 10 Nov 2008 06:20:26 +0100 From: j.snelders@xxxxxxxxxx Subject: Re: [Wireshark-users] Not need to save packet data To: adisak@xxxxxxxxxxx, "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> Message-ID: <481B206B000A3AFE@xxxxxxxxxxxxxxxxxxxxxxxxxx> Content-Type: text/plain; charset="US-ASCII" Hi Adisak, You can use the option: Limit each packet to 68 bytes. You'll find it at Capture -> Capture Options Thanks Joan >To: "'Community support list for Wireshark'" <wireshark-users@xxxxxxxxxxxxx> On Mon, 10 Nov 2008 08:34:32 +0700 Adisak Wrote: >Hi all, > >I'm very new for Wireshark. > > > >I've download and used Wireshark on a few day ago. > >I'll use Wireshark in my company for check the traffic of proxy server. > >But, I'd like to collect only Time, IP address both source and Destination, >Protocol type and information only. > >Not need to save packet data, Because log file will growth big in a shortly >time. > >I've try to setting Wireshark for from 2 days ago but I can't. > >Anyone have an idea for my question? > > > >P.S. I used Wireshark on windows. > > > >Best Regards, > >Adisak > > > >_______________________________________________ >Wireshark-users mailing list >Wireshark-users@xxxxxxxxxxxxx >https://wireshark.org/mailman/listinfo/wireshark-users ------------------------------ Message: 3 Date: Mon, 10 Nov 2008 16:30:21 +1100 From: "Martin Visser" <martinvisser99@xxxxxxxxx> Subject: Re: [Wireshark-users] Intermittent Performance Problems on To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> Message-ID: <b3739b0c0811092130s45347b93va3d53d24f51f044b@xxxxxxxxxxxxxx> Content-Type: text/plain; charset=UTF-8 Cyril, Rather than sending the text output, it is probably more useful to send the pcap capture file (unless you have private data you need to obscure) Only seeing one side makes it a little hard (make sure filter includes client and server as both source and destination), however what can be gleaned is :- 1. The connection response (3-way handshake SYN/SYN-ACK/ACK) is 1.4ms (packet 1822-1821). This indicates your server is physically close and the TCP stack is responsive 2. Your client issued a HTTP GET straight after (packet 1823) and then ACKed the first bytes from the server response in less then 594ms (packet 1839 - 1823). More that likely your server won't start sending data until it has finished the backend database server transaction, but that is totally dependent on how you web app is built. So it is likely this is your server processing time 3. You received the last byte from that stream sometime before packet 1873. Thus time from first byte to last byte received is approximately 665ms. This is the time of flight of your received data. The ACKs show that your received 56152 bytes in that time, thus your throughput was 84430 Bps or 675Kbps. This may be good or bad depending on your network pipe between client and servers and how much concurrent usage occurred. So for your transaction I would conclude around half of the time was backend processing (the 594ms) and half simply filling the available pipe with your data (the 665ms) (Note at packet 95288 your reused the TCP port 2398 some hours later - so this is from another session to the first) Regards, Martin On Mon, Nov 10, 2008 at 1:04 AM, Cyril Spiro <spiroc@xxxxxxxxxxxxxxx> wrote: > Ryan, > > Thank you for your response. > > I have followed your recommendation and taken a snap shot of one TCP stream > during a period when the users stated the intranet-based web application was > slow. > > Attached is a sample of one TCP Stream which took 1.3 seconds. I provide > this as an example for assistance in interpreting the Wireshark results. > > What surprised me is that all packets indicate communication from > 192.168.0.221 (client) to 192.168.0.150 (server) and none in the other > direction. > > Again, our goal is to know if this screen rendering took 1.3 seconds because > the server was busy processing the request (database calls, etc.) or if the > network was jammed outside of the server. > > Any insight that you can provide on how to read the results in order to > answer this question is much appreciated. > > spiroc > > > > -----Original Message----- > From: wireshark-users-bounces@xxxxxxxxxxxxx > [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of > wireshark-users-request@xxxxxxxxxxxxx > Sent: Thursday, November 06, 2008 7:12 PM > To: wireshark-users@xxxxxxxxxxxxx > Subject: Wireshark-users Digest, Vol 30, Issue 11 > > Send Wireshark-users mailing list submissions to > wireshark-users@xxxxxxxxxxxxx > > To subscribe or unsubscribe via the World Wide Web, visit > https://wireshark.org/mailman/listinfo/wireshark-users > or, via email, send a message with subject or body 'help' to > wireshark-users-request@xxxxxxxxxxxxx > > You can reach the person managing the list at > wireshark-users-owner@xxxxxxxxxxxxx > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Wireshark-users digest..." > > > Today's Topics: > > 1. Re: tshark creates files in temp dir (j.snelders@xxxxxxxxxx) > 2. Re: tshark creates files in temp dir (Al Aghili) > 3. Re: tshark creates files in temp dir (Stephen Fisher) > 4. Re: tshark creates files in temp dir (Al Aghili) > 5. Re: tshark creates files in temp dir (Stephen Fisher) > 6. Re: tshark creates files in temp dir (Guy Harris) > 7. Re: tshark creates files in temp dir (Al Aghili) > 8. Re: Intermittent Performance Problems on Intranet (Ryan Zuidema) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 6 Nov 2008 21:26:45 +0100 > From: j.snelders@xxxxxxxxxx > Subject: Re: [Wireshark-users] tshark creates files in temp dir > To: "Community support list for Wireshark" > <wireshark-users@xxxxxxxxxxxxx> > Message-ID: <481B3765000A0AD6@xxxxxxxxxxxxxxxxxxxxxxxxxx> > Content-Type: text/plain; charset="US-ASCII" > > Hi Al, > > I think that you have to define an output file: > $ tshark -i 2 -w output.cap > > HTH > Joan > > On Thu, 6 Nov 2008 10:39:32 -0700 Al Aghili wrote: >>Subject: [Wireshark-users] tshark creates files in temp dir >> >>Hi, >>When we run tshark on windows it sometimes creates these large files in >>Windows/temp directory that start with "ether". Is there a way to turn >>this off? >> >>Thanks >>Al >> >> >>_______________________________________________ >>Wireshark-users mailing list >>Wireshark-users@xxxxxxxxxxxxx >>https://wireshark.org/mailman/listinfo/wireshark-users > > > > > > > > ------------------------------ > > Message: 2 > Date: Thu, 6 Nov 2008 14:08:19 -0700 > From: "Al Aghili" <aaghili@xxxxxxxxxxxxxxxxxx> > Subject: Re: [Wireshark-users] tshark creates files in temp dir > To: "'Community support list for Wireshark'" > <wireshark-users@xxxxxxxxxxxxx> > Message-ID: <00b601c94053$cf285540$2602a8c0@AlDell01> > Content-Type: text/plain; charset="us-ascii" > > Hi, > We're running tshark with the following command. > tshark -i 2 -V -l > > Then we read the standard out so we don't want to create an output file. > > > Thanks > Al > > -----Original Message----- > From: wireshark-users-bounces@xxxxxxxxxxxxx > [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of > j.snelders@xxxxxxxxxx > Sent: Thursday, November 06, 2008 1:27 PM > To: Community support list for Wireshark > Subject: Re: [Wireshark-users] tshark creates files in temp dir > > Hi Al, > > I think that you have to define an output file: > $ tshark -i 2 -w output.cap > > HTH > Joan > > On Thu, 6 Nov 2008 10:39:32 -0700 Al Aghili wrote: >>Subject: [Wireshark-users] tshark creates files in temp dir >> >>Hi, >>When we run tshark on windows it sometimes creates these large files in >>Windows/temp directory that start with "ether". Is there a way to turn >>this off? >> >>Thanks >>Al >> >> >>_______________________________________________ >>Wireshark-users mailing list >>Wireshark-users@xxxxxxxxxxxxx >>https://wireshark.org/mailman/listinfo/wireshark-users > > > > > > _______________________________________________ > Wireshark-users mailing list > Wireshark-users@xxxxxxxxxxxxx > https://wireshark.org/mailman/listinfo/wireshark-users > > > > ------------------------------ > > Message: 3 > Date: Thu, 6 Nov 2008 14:39:25 -0700 > From: Stephen Fisher <stephentfisher@xxxxxxxxx> > Subject: Re: [Wireshark-users] tshark creates files in temp dir > To: Community support list for Wireshark > <wireshark-users@xxxxxxxxxxxxx> > Message-ID: <[email protected]> > Content-Type: text/plain; charset=us-ascii > > On Thu, Nov 06, 2008 at 10:39:32AM -0700, Al Aghili wrote: > >> When we run tshark on windows it sometimes creates these large files >> in Windows/temp directory that start with "ether". Is there a way to >> turn this off? > > These files are used for temporarily storing captured data for the > session that you run tshark for. They should be deleted when tshark is > closed and able to quit gracefully. They cannot be turned off. What > version of tshark/Wireshark are you using? How are you stopping tshark? > > > Steve > > > > ------------------------------ > > Message: 4 > Date: Thu, 6 Nov 2008 16:01:40 -0700 > From: "Al Aghili" <aaghili@xxxxxxxxxxxxxxxxxx> > Subject: Re: [Wireshark-users] tshark creates files in temp dir > To: "'Community support list for Wireshark'" > <wireshark-users@xxxxxxxxxxxxx> > Message-ID: <00c201c94063$a2dc8230$2602a8c0@AlDell01> > Content-Type: text/plain; charset="us-ascii" > > We're stopping it by killing the tshark process through a kill command > which I would think is not graceful. How do you recommend killing tshark > programmatically? > > Thanks > Al > > -----Original Message----- > From: wireshark-users-bounces@xxxxxxxxxxxxx > [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Stephen > Fisher > Sent: Thursday, November 06, 2008 2:39 PM > To: Community support list for Wireshark > Subject: Re: [Wireshark-users] tshark creates files in temp dir > > On Thu, Nov 06, 2008 at 10:39:32AM -0700, Al Aghili wrote: > >> When we run tshark on windows it sometimes creates these large files >> in Windows/temp directory that start with "ether". Is there a way to >> turn this off? > > These files are used for temporarily storing captured data for the > session that you run tshark for. They should be deleted when tshark is > closed and able to quit gracefully. They cannot be turned off. What > version of tshark/Wireshark are you using? How are you stopping tshark? > > > Steve > > _______________________________________________ > Wireshark-users mailing list > Wireshark-users@xxxxxxxxxxxxx > https://wireshark.org/mailman/listinfo/wireshark-users > > > > ------------------------------ > > Message: 5 > Date: Thu, 6 Nov 2008 16:24:58 -0700 > From: Stephen Fisher <stephentfisher@xxxxxxxxx> > Subject: Re: [Wireshark-users] tshark creates files in temp dir > To: Community support list for Wireshark > <wireshark-users@xxxxxxxxxxxxx> > Message-ID: <[email protected]> > Content-Type: text/plain; charset=us-ascii > > On Thu, Nov 06, 2008 at 04:01:40PM -0700, Al Aghili wrote: > >> We're stopping it by killing the tshark process through a kill command >> which I would think is not graceful. How do you recommend killing >> tshark programmatically? > > I assume you're using some sort of Unix? In that case, SIGTERM (15), > SIGINT (2) and SIGHUP (1) are caught and should result in a graceful > shutdown of tshark. A SIGKILL (9) is not catchable and forces tshark to > quit immediately. Which are you using? > > > Steve > > > > ------------------------------ > > Message: 6 > Date: Thu, 6 Nov 2008 15:53:21 -0800 > From: Guy Harris <guy@xxxxxxxxxxxx> > Subject: Re: [Wireshark-users] tshark creates files in temp dir > To: Community support list for Wireshark > <wireshark-users@xxxxxxxxxxxxx> > Message-ID: <7EA5C406-16B1-4425-969B-87EC2FB1BFD3@xxxxxxxxxxxx> > Content-Type: text/plain; charset=WINDOWS-1252; format=flowed; > delsp=yes > > > On Nov 6, 2008, at 9:39 AM, Al Aghili wrote: > >> When we run tshark on windows it sometimes creates these large files >> in Windows/temp directory that start with ?ether?. Is there a way to >> turn this off? > > Currently, no. TShark runs dumpcap to do the traffic capture, and > currently, if you run it without the "-w" flag, tells dumpcap to write > to a temporary file, and reads from the temporary file. > > At some point it should be changed to, in that case, have dumpcap > write the packets on a pipe, and read from the pipe. > > When you terminate TShark with ^C, then it should get rid of the > file. Is the problem that the file exists while the capture is being > done (in which case there's currently nothing you can do to stop it), > or that the file remains around after you terminate TShark? > > ------------------------------ > > Message: 7 > Date: Thu, 6 Nov 2008 16:59:18 -0700 > From: "Al Aghili" <aaghili@xxxxxxxxxxxxxxxxxx> > Subject: Re: [Wireshark-users] tshark creates files in temp dir > To: "'Community support list for Wireshark'" > <wireshark-users@xxxxxxxxxxxxx> > Message-ID: <00c701c9406b$aeec7460$2602a8c0@AlDell01> > Content-Type: text/plain; charset="us-ascii" > > Guy, > I think we may have to manually delete the files after we kill the > tshark process. That was the problem I think. There were files left over > because we are killing the process programmatically (not ^C). > > In a high traffic environment these files tend to get very big. So your > solution to write the packets on a pipe might work best in the future. > > At the same time if that increases the ram consumption then that's a > bigger problem because right now its on disk. > > Thanks for the help. > > Al > > -----Original Message----- > From: wireshark-users-bounces@xxxxxxxxxxxxx > [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris > Sent: Thursday, November 06, 2008 4:53 PM > To: Community support list for Wireshark > Subject: Re: [Wireshark-users] tshark creates files in temp dir > > > On Nov 6, 2008, at 9:39 AM, Al Aghili wrote: > >> When we run tshark on windows it sometimes creates these large files >> in Windows/temp directory that start with "ether". Is there a way to >> turn this off? > > Currently, no. TShark runs dumpcap to do the traffic capture, and > currently, if you run it without the "-w" flag, tells dumpcap to write > to a temporary file, and reads from the temporary file. > > At some point it should be changed to, in that case, have dumpcap > write the packets on a pipe, and read from the pipe. > > When you terminate TShark with ^C, then it should get rid of the > file. Is the problem that the file exists while the capture is being > done (in which case there's currently nothing you can do to stop it), > or that the file remains around after you terminate TShark? > _______________________________________________ > Wireshark-users mailing list > Wireshark-users@xxxxxxxxxxxxx > https://wireshark.org/mailman/listinfo/wireshark-users > > > > ------------------------------ > > Message: 8 > Date: Thu, 6 Nov 2008 17:13:14 -0700 > From: "Ryan Zuidema" <Ryan.Zuidema@xxxxxxxxxxx> > Subject: Re: [Wireshark-users] Intermittent Performance Problems on > Intranet > To: "'Community support list for Wireshark'" > <wireshark-users@xxxxxxxxxxxxx> > Message-ID: <000d01c9406d$a0661f70$e1325e50$@Zuidema@xxxxxxxxxxx> > Content-Type: text/plain; charset="us-ascii" > > Spiro, > > > > Yes that is exactly what Wireshark is good for, and for a beginner that is > an excellent place to start. You will want to capture off of a mirrored/span > port to begin with if possible. Running a live capture on the server could > use up more resources, and potentially give you a false reading. If you have > to capture on the server, you will need to run a simultaneous capture on an > affected client as well. > > > > Take a capture and pay attention to the timing between request and response > from the server. > > > > Ryan Zuidema > > > > > > > > From: wireshark-users-bounces@xxxxxxxxxxxxx > [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Cyril Spiro > Sent: 2008-11-06 07:04 > To: wireshark-users@xxxxxxxxxxxxx > Subject: [Wireshark-users] Intermittent Performance Problems on Intranet > > > > Hi, I'm a newbie to Wireshark :) > > > > Our users on our Intranet are stating that their Web Application can get > slow at times. If we run Wireshark on the Web server can we use it to > determine if the packets are being slowed down once they have gotten in the > Web server (ie, slow database calls, etc.) versus outside of the Web server > on the network? > > > > Thanks, > > spiroc > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://www.wireshark.org/lists/wireshark-users/attachments/20081106/7832f296 > /attachment.htm > > ------------------------------ > > _______________________________________________ > Wireshark-users mailing list > Wireshark-users@xxxxxxxxxxxxx > https://wireshark.org/mailman/listinfo/wireshark-users > > > End of Wireshark-users Digest, Vol 30, Issue 11 > *********************************************** > > _______________________________________________ > Wireshark-users mailing list > Wireshark-users@xxxxxxxxxxxxx > https://wireshark.org/mailman/listinfo/wireshark-users > > -- Regards, Martin MartinVisser99@xxxxxxxxx ------------------------------ Message: 4 Date: Mon, 10 Nov 2008 10:33:58 +0000 From: Jaap Keuter <jaap.keuter@xxxxxxxxx> Subject: Re: [Wireshark-users] Not need to save packet data To: "adisak@xxxxxxxxxxx" <adisak@xxxxxxxxxxx>, Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx> Message-ID: <3B15585E-4FAD-4399-ADF9-A4C85A46D86F@xxxxxxxxx> Content-Type: text/plain; charset="utf-8" Hi, Since Wireshark is intended for deep level packet inspection this may not be the right tool for you. Have a look at the tools page on the wiki, for instance at ntop. Thanx, Jaap Sent from my iPhone On 10 nov 2008, at 01:34, "Adisak" <adisak@xxxxxxxxxxx> wrote: > Hi all, > > I?m very new for Wireshark. > > > > I?ve download and used Wireshark on a few day ago. > > I?ll use Wireshark in my company for check the traffic of proxy serv > er. > > But, I?d like to collect only Time, IP address both source and Desti > nation, Protocol type and information only. > > Not need to save packet data, Because log file will growth big in a > shortly time. > > I?ve try to setting Wireshark for from 2 days ago but I can?t. > > Anyone have an idea for my question? > > > > P.S. I used Wireshark on windows. > > > > Best Regards, > > Adisak > > > > _______________________________________________ > Wireshark-users mailing list > Wireshark-users@xxxxxxxxxxxxx > https://wireshark.org/mailman/listinfo/wireshark-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.wireshark.org/lists/wireshark-users/attachments/20081110/2e610c78 /attachment.htm ------------------------------ _______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx https://wireshark.org/mailman/listinfo/wireshark-users End of Wireshark-users Digest, Vol 30, Issue 17 ***********************************************
[ Contents removed ]
- Follow-Ups:
- Re: [Wireshark-users] Intermittent Performance Problems
- From: Martin Visser
- Re: [Wireshark-users] Intermittent Performance Problems
- Prev by Date: Re: [Wireshark-users] Why so much SMB traffic?
- Next by Date: Re: [Wireshark-users] Intermittent Performance Problems - part 2
- Previous by thread: [Wireshark-users] wireshark freezes
- Next by thread: Re: [Wireshark-users] Intermittent Performance Problems
- Index(es):