Terms of Use For FixedByVonnie

By proceeding to access fixedByVonnie.com, you expressly acknowledge, and agree to, all of the following:

fixedByVonnie.com is a personal website and blog owned by Security Plus Pro LLC, which is being presented for informational purposes only. The views on this website are solely those of the website owner (and not those of any employer or of any professional associations affiliated with the website owner).  Any views expressed in this website and any information presented on this website, or in any of its blog entries, should not be relied on for any purpose whatsoever other than as the personal opinions of the website owner.  The website owner expressly disclaims any and all liability for any information presented on this site.  The owner of this website and its blog posts shall not be held liable, and shall be held harmless, for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.  The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action, from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so solely at your own risk.

Wireshark 300: Curing Latency and Network Slowness - fixedByVonnie

Wireshark 300: Curing Latency and Network Slowness


AKA SLOWNESS!  No one wants to deal with it but how many of us know the root cause of the problem?  With Wireshark you can figure out exactly what’s causing your internet connection to crawl.

Here’s the scenario:

Everytime a user tries to access the internet it takes the page forever to download.  What’s going on?

You can use Wireshark to gain insight on the problem.  You can either start your capture on the host computer itself or configure port-spanning on the Cisco switch to mirror the traffic out an adjacent switchport.  But let’s assume you don’t have access to the Cisco switch.  Maybe you’re not authorized or you don’t want to bother with switchport configuration on a Cisco switch.

At any given moment a single computer will have multiple TCP connections to various destinations so our first order of business is see the time difference between segments within a single TCP conversation.

Start the packet capture, right click the relevant row in the PDU data pane and mouse down to Protocol preferences.

Make sure Calculate conversation timestamps has check next to it.  You might also want to set this up in a new Wireshark profile.

Tracking TCP conversations

Now if you scroll down in the PDU details pane you’ll see a new section under the Transmission Control Protocol dissector called:


TCP timestamps

Now we can see the time in seconds since the last TCP segment in the current conversation.

Great, now let’s make it a little easier to read this by adding this valuable data as a new column.

Right click the TCP dissector in the details pane and choose Apply as Column from the popup menu.

Wireshark TCP Apply as Column


The new column appears but it’s a little too long isn’t it?

It says:

Time since previous frame in this TCP stream

But let’s rename it to:

Segment Delta

That way we’ll know this contains the change (delta) between TCP segments.

Right click the column and choose Edit Column Details…

Changing Column Names

Great, now double click the column to sort by slowest values and scroll through the output.  You’ll quickly see the TCP conversations responsible for the greatest latency.

To start this test for you, I downloaded a program called Netlimiter and installed it on my Windows 8.1 Virtual Machine.  Then I manually told Netlimiter to limit all inbound and outbound traffic flows to a wimpy 5kbps.  Ha!

So when I started the capture I could easily see the largest offenders.

You can see a segment delta of 941 milliseconds (almost a full second) from a request to download a JPG on (which is fixedbyvonnie.com)

Found network Latency

I hope this helps!  Leave me your questions, cheers or digital beer in the comments below.


Connect with Vonnie on Twitter

Posted in Linux, Mac OS X 10.10 Yosemite, Mac OS X 10.8 Mountain Lion, Mac OS X 10.9 Mavericks, What Is, Windows, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Vista, Windows XP