AKA SLOWNESS! No one wants to deal with it but how many of us know the root cause of the problem? With Wireshark you can figure out exactly what’s causing your internet connection to crawl.
Here’s the scenario:
Everytime a user tries to access the internet it takes the page forever to download. What’s going on?
You can use Wireshark to gain insight on the problem. You can either start your capture on the host computer itself or configure port-spanning on the Cisco switch to mirror the traffic out an adjacent switchport. But let’s assume you don’t have access to the Cisco switch. Maybe you’re not authorized or you don’t want to bother with switchport configuration on a Cisco switch.
At any given moment a single computer will have multiple TCP connections to various destinations so our first order of business is see the time difference between segments within a single TCP conversation.
Start the packet capture, right click the relevant row in the PDU data pane and mouse down to Protocol preferences.
Make sure Calculate conversation timestamps has check next to it. You might also want to set this up in a new Wireshark profile.
Now if you scroll down in the PDU details pane you’ll see a new section under the Transmission Control Protocol dissector called:
Now we can see the time in seconds since the last TCP segment in the current conversation.
Great, now let’s make it a little easier to read this by adding this valuable data as a new column.
Right click the TCP dissector in the details pane and choose Apply as Column from the popup menu.
The new column appears but it’s a little too long isn’t it?
Time since previous frame in this TCP stream
But let’s rename it to:
That way we’ll know this contains the change (delta) between TCP segments.
Right click the column and choose Edit Column Details…
Great, now double click the column to sort by slowest values and scroll through the output. You’ll quickly see the TCP conversations responsible for the greatest latency.
To start this test for you, I downloaded a program called Netlimiter and installed it on my Windows 8.1 Virtual Machine. Then I manually told Netlimiter to limit all inbound and outbound traffic flows to a wimpy 5kbps. Ha!
So when I started the capture I could easily see the largest offenders.
You can see a segment delta of 941 milliseconds (almost a full second) from a request to download a JPG on 126.96.36.199 (which is fixedbyvonnie.com)
I hope this helps! Leave me your questions, cheers or digital beer in the comments below.