Need help analyzing Wireshark captures

retag add tags

I have a couple captures I need some assistance reading them and deciding where to start looking to fix my issue.. I have a site that runs an application and during the normal process it takes around 5 seconds to complete transaction. When the main connection to Corporate goes down my time jumps to 2 minutes to complete and other sites only increase to 25 seconds.. There are 3 servers involved in which 1 is at Corp and is where the app server posts data. So I access Server 1 through webpage (Local onsite). Server 1 is a proxy passes the traffic the an sql app server (Local Onsite) where the app runs the transactions. The app server posts final transaction to server 3 (Offsite Corp) when complete.. There is a 20 seconds (25 seconds expected total) def app timeout built in for the SQL server to post to Server 3. Can anyone assist in pointing me in some filters, etc guide me where to look and find the possible cause of the extra 1.5-2 minutes in time for transactions..

Thanks in Advance

rmsdip3

asked 2020-02-28 21:07:05 +0000

edit flag offensive 0 remove flag close merge delete

Comments

Can you anonymize one of the captures, upload to a public file sharing site and post a link to it here?

Chuckc (2020-02-28 21:26:52 +0000) edit

This is my first capture.. How do I anonymize it?

Thanks

rmsdip3 (2020-02-29 21:55:23 +0000) edit

Trace Wrangler (https://www.tracewrangler.com/) is one way.

SF18US - 13: Practical Tracewrangling (Jasper Bongertz)
https://www.youtube.com/watch?v=7tGfy...

https://blog.packet-foo.com/tag/trace...

Chuckc (2020-03-01 05:23:40 +0000) edit

I have uploaded the files to the following.. I have included 4 files.. 2 from the client side and 2 from the Switch attached to the server side.. Normal operation and during our so called outage.. Thanks for any insight

https://drive.google.com/open?id=1chc...

rmsdip3 (2020-03-02 16:11:45 +0000) edit

Anyone? Thanks again.. Any help appreciated

rmsdip3 (2020-03-06 12:09:52 +0000) edit

add a comment see more comments

It's a little hard to say without knowing exactly what is going, but what I find interesting is that if you look at the conversations that happen on TCP port 85 you can see that one side (172.29.77.183) is sending data that gets acknowledged (usually a 54 byte packet from 172.22.242.89), but then it takes at least 1 second to send the answer back each time (easy to find by looking for the TCP push flag, also from 172.22.242.89) - in case of the bad connection i've seen up to 19 seconds delay between the ACK and the PSH ACK.

It looks to me like the application processing time on 172.22.242.89 is really not that good (= performing well). From my gut feeling it looks more like a delay on that node than a network problem. Also, seeing TCP Keep-Alive packets is an indicator one node is waiting for the other.

To further investigate the non-anonymized packets I'd recommend you isolate the TCP conversations one by one (either via right click -> Conversation Filter -> TCP, or via Statistics -> Conversations -> right click). You should add a column "Delta Time Displayed" to your setup (unless you already have it, of course) and track where the delays are for each TCP connection.

image description

24.1k

Jasper

answered 2020-03-06 14:45:03 +0000, updated 2020-03-06 14:45:58 +0000

edit flag offensive 0 remove flag delete link

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Need help analyzing Wireshark captures edit

Comments

1 Answer

Comments