Wireshark-users: Re: [Wireshark-users] newbie question

From: Tim Takata <tim.takata@xxxxxxxxx>
Date: Thu, 25 Feb 2010 15:27:22 -0800
and oh if you haven't already and your devices allow tracert, try running a trace route to see if there are any devices in route with a higher response
time, could help id the bottle neck if its not your web server. cheers, tim

On 2/25/2010 1:54 PM, Tony Manetta wrote:
lets try that again...here are the frames

No.     Time        Source                Destination           Protocol
Info
      248 14.550042   192.168.1.44          24.92.226.11
TCP      [TCP Retransmission] [TCP segment of a reassembled PDU]

Frame 248 (1078 bytes on wire, 1078 bytes captured)
Ethernet II, Src: Sony_d9:95:99 (00:1a:80:d9:95:99), Dst: Cisco_d0:4f:11
(00:24:14:d0:4f:11)
Internet Protocol, Src: 192.168.1.44 (192.168.1.44), Dst: 24.92.226.11
(24.92.226.11)
Transmission Control Protocol, Src Port: 50748 (50748), Dst Port: http
(80), Seq: 190, Ack: 26, Len: 1024
      Source port: 50748 (50748)
      Destination port: http (80)
      [Stream index: 8]
      Sequence number: 190    (relative sequence number)
      [Next sequence number: 1214    (relative sequence number)]
      Acknowledgement number: 26    (relative ack number)
      Header length: 20 bytes
      Flags: 0x18 (PSH, ACK)
      Window size: 16688
      Checksum: 0x4ef6 [validation disabled]
      [SEQ/ACK analysis]
          [Number of bytes in flight: 1024]
          [TCP Analysis Flags]
              [This frame is a (suspected) retransmission]
                  [Expert Info (Note/Sequence): Retransmission (suspected)]
                      [Message: Retransmission (suspected)]
                      [Severity level: Note]
                      [Group: Sequence]
              [The RTO for this segment was: 0.294203000 seconds]
              [RTO based on delta from frame: 246]
      [Reassembled PDU in frame: 246]
      TCP segment data (1024 bytes)

No.     Time        Source                Destination           Protocol
Info
      249 14.550713   24.92.226.11          192.168.1.44
HTTP     [TCP Retransmission] HTTP/1.1 100 Continue

Frame 249 (79 bytes on wire, 79 bytes captured)
Ethernet II, Src: Cisco_d0:4f:11 (00:24:14:d0:4f:11), Dst: Sony_d9:95:99
(00:1a:80:d9:95:99)
Internet Protocol, Src: 24.92.226.11 (24.92.226.11), Dst: 192.168.1.44
(192.168.1.44)
Transmission Control Protocol, Src Port: http (80), Dst Port: 50748
(50748), Seq: 1, Ack: 190, Len: 25
      Source port: http (80)
      Destination port: 50748 (50748)
      [Stream index: 8]
      Sequence number: 1    (relative sequence number)
      [Next sequence number: 26    (relative sequence number)]
      Acknowledgement number: 190    (relative ack number)
      Header length: 20 bytes
      Flags: 0x18 (PSH, ACK)
      Window size: 260
      Checksum: 0x53fb [validation disabled]
      [SEQ/ACK analysis]
          [Number of bytes in flight: 25]
          [TCP Analysis Flags]
              [This frame is a (suspected) retransmission]
                  [Expert Info (Note/Sequence): Retransmission (suspected)]
                      [Message: Retransmission (suspected)]
                      [Severity level: Note]
                      [Group: Sequence]
              [The RTO for this segment was: 0.294992000 seconds]
              [RTO based on delta from frame: 245]
Hypertext Transfer Protocol
      HTTP/1.1 100 Continue\r\n
          [Expert Info (Chat/Sequence): HTTP/1.1 100 Continue\r\n]
              [Message: HTTP/1.1 100 Continue\r\n]
              [Severity level: Chat]
              [Group: Sequence]
          Request Version: HTTP/1.1
          Response Code: 100
      \r\n

No.     Time        Source                Destination           Protocol
Info
      250 14.550738   192.168.1.44          24.92.226.11
TCP      [TCP Dup ACK 248#1] 50748>  http [ACK] Seq=1214 Ack=26
Win=16688 Len=0 SLE=1 SRE=26

Frame 250 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: Sony_d9:95:99 (00:1a:80:d9:95:99), Dst: Cisco_d0:4f:11
(00:24:14:d0:4f:11)
Internet Protocol, Src: 192.168.1.44 (192.168.1.44), Dst: 24.92.226.11
(24.92.226.11)
Transmission Control Protocol, Src Port: 50748 (50748), Dst Port: http
(80), Seq: 1214, Ack: 26, Len: 0
      Source port: 50748 (50748)
      Destination port: http (80)
      [Stream index: 8]
      Sequence number: 1214    (relative sequence number)
      Acknowledgement number: 26    (relative ack number)
      Header length: 32 bytes
      Flags: 0x10 (ACK)
      Window size: 16688
      Checksum: 0x1126 [validation disabled]
      Options: (12 bytes)
      [SEQ/ACK analysis]
          [This is an ACK to the segment in frame: 249]
          [The RTT to ACK the segment was: 0.000025000 seconds]
          [TCP Analysis Flags]
              [This is a TCP duplicate ack]
          [Duplicate ACK #: 1]
          [Duplicate to the ACK in frame: 248]
              [Expert Info (Note/Sequence): Duplicate ACK (#1)]
                  [Message: Duplicate ACK (#1)]
                  [Severity level: Note]
                  [Group: Sequence]
__________________________________________________________________

Tony Manetta, MBA, MCP
Supervisor of Networking Technology and Services
UDSMR
716-817-7850 (office)
716-479-6258 (mobile)

On 2/25/2010 4:54 PM, Tony Manetta wrote:
Hi

just tried using wireshark to see if a network issue is causing sever
slowness when logging into a web server....i'm having issues
understanding the output of the trace...can anyone help?  when i login
locally, the login time is approximately 4 seconds but when i login
across the web, it's over 25 seconds which is unacceptable.  if this
isnt appropriate use of this list, i apologize in advance....below are
3 frames which first start showing up as issues in  my capture...any
ideas are greatly appreciated....



___________________________________________________________________________
Sent via:    Wireshark-users mailing list<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe