This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Network Drop both Wireless and Wired

0

I'm writing on behalf of a small school district. In early January, a colleague and myself installed 20 Ubiquiti Unifi AP-Pro devices as well as about 20, 10/100/1000 hp procurve switches. Two schools are connected by Cisco Aironet. Towards the end of January we started experiencing high latency and network drop throughout the district. I am in over my head trying to troubleshoot and someone pointed me to Wireshark. I don't have any formal education in networking and looking at the data in Wireshark is intimidating to say the least. Can anyone help me interpret some of our data to help isolate where our issue might be? If not, is there a good starting point or list of things to do in Wireshark somewhere that would get me going down the right path?

I am thankful for any help.

asked 11 Feb '14, 16:06

tiosend's gravatar image

tiosend
11112
accept rate: 0%

One Answer:

0

I don't have any formal education in networking and looking at the data in Wireshark is intimidating to say the least.

I don't want to discourage you, but the kind of problem you are describing, requires somebody with a pretty good understanding of the network, protocols and devices (switches, router, firewalls, server) in place. Without that knowledge, you will be simply lost, even if you get some hints from me. So, before I give you those hints, I strongly recommend to hire a networking professional to troubleshoot the problem for you.

Now, here are my hints:

  • If the whole network is affected (as you say), it could be a central network component and/or server that all users are trying to use/access. So, first get some detailed reports of the users what exactly does not work (access to target systems, servers, etc.) and when exactly the problem shows up. If you are lucky, you will find similar reports from different users which helps to limit your search to a few core components.
  • If the whole network is affected, Wireshark is (usually) that second best thing to start with, because you don't know where to start capturing traffic. Of course, you could try to capture at one of the core components (core switch), but the amount of traffic there is tremendous and without a profound knowledge of the protocols and networking in general, you will be overwhelmed by that flood of data. Unfortunately, there is no "best practice approach" for every network problem, so even if you have that data from the core network, it would be hard to tell you what to look for. I usually look for 'unusual patterns', but how an unusual pattern looks like, is only stored in by brain, created by experience. I don't know how to dump that information in a usable way ;-)

So, to sum it up. Here is how I would try to figure out the problem

  • Talk intensively to different user groups and ask them what kind of problems they experience. When do the problems show up and what exactly is affected. Don't accept answer like: The whole network is slower than before.
  • Filter and aggregate the answers. Maybe you'll find a common reason for the problems (central server, central switch, DNS, Firewalls, etc.)
  • Look at all switch logs!! If logging is not enabled, do it now and check the logs later
  • Monitor the switch port counters (there are a lot of tools available. google will help. Do you see 'unusual patterns' at the times when people report the problems? If so, where (which switch) do you see those patterns (like massive spikes or drops in number of packets)
  • If there is an 'unusual pattern' somewhere, capture the traffic 'near that place/component' with Wireshark and try to figure out what's going on. Unfortunately, there is no 'best practice' approach for this and you'll need a lot of experience to sort things out. You could start with the statistics functions of Wireshark (Menu: Statistics).

The 'good thing' of your problem is: After you have done all that, you will have a much better understanding of your network architecture and a much better understanding of networking/protocols in general ;-))

Good luck!

Regards
Kurt

answered 12 Feb '14, 01:17

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 12 Feb '14, 01:34