This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have read and heard of some similar cases but are unable to pinpoint the problem using wireshark.

When we upload files to our servers (behind a firewall) file transfer seems to be capped to 5MB/s. As soon as I download a file from one of our servers the speed starts at 5MB/s and then jumps up to (the maximum of our clients, in this case) 11MB/s. When I start a new upload to the server (after the actions described above) it starts and stays at 11MB/s.

It is not just one server, it concerns all servers behind our firewall, we even tested the above by moving two servers in front of the firewall and the issue automatically resolves. It also immediately returns when we place the servers behind the firewall again.

We are currently working on replacing this firewall, but since my interest in wireshark ... I should be able to confirm this entire issue with a few good captures right? What am I looking for, throughput, TCP windows sizes? All the other key points are good (like round trip time, no extremely delayed packets, no replacements of sequence numbers, this I all checked).

asked 11 Mar '14, 00:08

JoepMeloen86's gravatar image

JoepMeloen86
266611
accept rate: 50%

<bump>

Tried to create some throughput graphs, and came up with the following:

http://imageshack.com/a/img34/2668/wvcr.png

To be honest, this doesn't make much sense. Can anyone explain to me why this graph shows both high and low throughput at the same time?

(12 Mar '14, 02:40) JoepMeloen86

Really, nobody?

I zoomed in on the above graph and viewed a couple of packets that were extremely close together (hence the impression that the throughput is high and low at the same time) but could not find a difference.

How does Wireshark determine a high or low throughput? Windowsize and payload are exactly the same with each packets I compare... ?

In other terms, how does Wireshark calculate a 5MB/s throughput (for example) from a single packet?

(12 Mar '14, 08:19) JoepMeloen86

Wireshark does not calculate throughput from a single packet; it uses a 21-segment moving average. See this question for an explanation by Gerald Combs.

permanent link

answered 12 Mar '14, 13:57

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Ok, sounds like that's the thing I'm looking for. However, I can't seem to verify this.

Most packets in these 40 segments have a payload of 1514 bytes, and there a no large delays (as far as I can see) between the first 20 segments and the next.

However the throughput graph is very clear that every other 20 segments is slow, fast, slow, fast, creating this weird graph.

(14 Mar '14, 01:32) JoepMeloen86
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×55
×52

question asked: 11 Mar '14, 00:08

question was seen: 3,293 times

last updated: 14 Mar '14, 01:32

p​o​w​e​r​e​d by O​S​Q​A