This is our old Q&A Site. Please post any new questions and answers at

We have a issue by latency when logging in to our network . It takes between 5-10 minutes from the computer is startet until I am logged in.

I have done a wireshark capture from start of the computer until the login process is finished. How is the best way to analyze the traffic to determine the latency. I wish to find out if the latency belongs to LAN switching, applications & Protocols,server traffic(late response).

Our environment is Windows XP 3(workstation), mixed novell(file & print) and microsoft AD. Computers are members of AD.

asked 01 Mar '11, 01:06

AMO's gravatar image

accept rate: 0%

The first things you need to find out are:

  • Is every users PC affected? Or just a groups of users (if so, what do they have in common)? Or one particular PC?
  • Since when does the problem occur (were there any changes)? Or did it slowly creep in?
  • Is the problem there all the time? Or maybe just in the morning when everybody logs in at about the same time?

That will give you an idea of where the problem might lie. And it also will give you clues anout where to look for in your trace file. Especially if not all users are affected, a comparison between the trace files of a bad and a good login session if valuable.

When analyzing the trace file at hand. I would look at the following things:

  • File size (Summary window). How much data is exchanged during the login process
  • Delays. Where do delays between packets occur. Does the client not send any data after receiving data from the server or does the server receive data and not respond quickly. Add up the individual delays to get an indication whether the client or the server(s) are causing most of the delay.
  • Look for retransmissions. Do they occur often, then you may have a network problem like a duplex mismatch somewhere along the line.

It's not easy to give a list of actions to take to pinpoint the problem as there are just to many variables. It's a combination of experience and 'art' to analyze trace files :-)

permanent link

answered 01 Mar '11, 01:27

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

Another great features in Wireshark that helps in your quest is the Service Response Time: (Statistics -> Service Response Time ...)

  • Are the SMB / LDAP / DCE-RPC response times what you expect?
  • Check the service response time from a trace captured close to the server. Most SMB transactions should complete within a millisecond or two.
  • Check the service response time from a trace captured close to the client. This shows the real waiting time for the user

You might want to check, if users wait for the PC to boot (i. e. power on until login box shows) or for the login (i. e. clicked OK, then wait until the desktop is ready).

The time from power on to login box can identified as followed: First locate the DHCP request (filter bootp) and set a time reference to the DHCP discover or request.

Next look out for a Kerberos message where the message-type is AS-REQ and the client name is the user. A good filter is kerberos.msg.typ == 10 If the client principal matches the user name you have identified the time when the user clicked the OK button in the login-box.

The time from login to "Desktop ready" can be influenced by a number of factors. Roaming can be a pain, if a user decides to keep his collection of ISO images under "My Documents". Another factor to consider is the number of policies, that are applied.

NB: The AS-REQ is also shown, if a local service is started with the username

NB2: Depending on your configuration the login box can show up before all policies are loaded

permanent link

answered 01 Mar '11, 07:01

packethunter's gravatar image

accept rate: 8%

edited 29 Jun '17, 07:18

cmaynard's gravatar image

cmaynard ♦♦

The most interesting part is from that point when username and password is entered and Ok is pressed. And then look at the packets from that point and to desktop ready. I will try to set a timereference.

This latency occurs for several hundreds computers. So I do not believe that collection of huge files under "My documents" cause the problem. We do not use roaming profiles.

As you mention, I will also try to look at service responsetime from a trace close to the client. Interesting tip I will try: Statistics -> Service Response Time ...

I appreciate any tip from you.

(01 Mar '11, 12:03) AMO

(converted your "answer" to a "comment" to adhere to the Q&A nature of this site)

(01 Mar '11, 14:13) SYN-bit ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 01 Mar '11, 01:06

question was seen: 6,135 times

last updated: 29 Jun '17, 07:18

p​o​w​e​r​e​d by O​S​Q​A