This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have a wired home network with 2 Macs and one Windows 7 PC. I have videos on 9 NAS's connected to the network. The network contains a router, which is connected to a cable modem. The NAS's are connected to a switch, which is connected to the router. The PC and Macs are connected to another switch, also connected to the router. The switches are unmanaged. When the Windows 7 PC is connected to the network, Internet speed becomes very slow; when the connection of the PC to the network is broken, Internet speed on the Macs is very fast.

Would Wireshark help diagnose what problem could happening?

asked 19 Dec '10, 17:03

eyeman's gravatar image

eyeman
1111
accept rate: 0%

Drastically slower? It's possible that W7 is just using the available BW, or it's possible that it's trying to act as an internet gateway, only to give up because it's not supposed to be the internet gateway (internet sharing, I believe it's called). But if you capture on W7 as Jaap suggested, you might have a better idea.

(21 Dec '10, 06:46) hansangb

Well, you could Wireshark the network connection of the Windows 7 PC when the problem shows and look at the statistics it reports to see what top talkers are, which end points are involved, etc. That could give you an idea where to look.

permanent link

answered 20 Dec '10, 05:54

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

I am new to Wireshark, but I did run it on the involved W7 PC..most of the capture shows (according to the color scheme) "Bad TCP"....it appears that the W7 is communicating with many different external IP addresses...I am not actively surfing the Web on the W7 PC. I am a noob, and would appreciate some guidance

(21 Dec '10, 07:04) eyeman

Your average PC will be trying to connect to quite a lot of external addresses. Legitimate reasons include accessing DNS to resolve names to IP addresses, and then attempting to update software from Microsoft or other application vendors. However once updates are completed the only activity should be as a result of using applications like web browsers or mail programs.

(21 Dec '10, 17:09) martyvis
1

If you see a lot activity that appears to be to and from external addresses, it could be that your machine infected by some sort of malware (trojan/bot/rootkit). Wireshark will show the activity (probably Statistics:Endpoints is your best bet). If you feel your machine is comprised you might want to seek out a good AV or Spyware scanning software program to check it.

(21 Dec '10, 17:09) martyvis

If the "Bad TCP" you are referring to, it is probably a red herring as a result of you using a TCP offloading driver on your network card. Refer to http://wiki.wireshark.org/TCP_Checksum_Verification

(21 Dec '10, 17:13) martyvis

Martyvis, Jaap, Hansagb

Thanks for your help and suggestions.

The W7 did have some infections, picked up by Avira. I usually run updates and scans with Avira, as well as Malwarebytes Anti-malware; this was the first infection it's picked up in a while. I have the W7 PC disconnected from yhe network while I run another scan, and will Wireshark again tonight

Todd

permanent link

answered 22 Dec '10, 04:07

eyeman's gravatar image

eyeman
1111
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×30
×22

question asked: 19 Dec '10, 17:03

question was seen: 4,107 times

last updated: 22 Dec '10, 04:07

p​o​w​e​r​e​d by O​S​Q​A