Tuesday, 9 August 2016

Identifying / analyzing network congestion with Wireshark

Wireshark can be an invaluable tool when troubleshooting network congestion (or network problems in general!) - below I have outlined several methods that can help narrow down the cause of congestion.

Protocol Breakdown

Quite often network congestion might be caused by a host flooding the network with packets (think broadcast storms, routing loops etc.) An easy way to get an overview of protocol use and potentially identify a protocol that is utilizing the vast majority of bandwidth is by using the 'Protocol Hierarchy' feature that will break down each protocol and provide you with an overview of how much each one is being utilized. This feature can be accessed from: Statistics >> Protocol Hierarchy.

Protocol Errors  

More often than not in a congested network you will likely come across TCP Dup Acks among others - a convenient way to get an overview of all protocol errors is go to: Analyze >> Expert Information - if you are experiencing congestion you will most likely see a high proportion of TCP segement related errors - although there is also plenty of other protocol messages that can look for like ICMP error messages.

IO Graph

One of my favorite methods is the IO Graph - that simply put graphically maps out the throughput / number packets over a given period of time and contrasts it against a specific filter - for example TCP error messages - this can be accessed via Statistics >> IO Graph.

Measuring Latency 

We can also view the latency of the request by right-hand clicking on the output column and selecting column preferences >> Hit the + button and specify something like 'Latency' for the column title and 'Delta Time' for the column type.


Post a Comment