This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Performance issues SMB filetransfer

0

I have read and heard of some similar cases but are unable to pinpoint the problem using wireshark.

When we upload files to our servers (behind a firewall) file transfer seems to be capped to 5MB/s. As soon as I download a file from one of our servers the speed starts at 5MB/s and then jumps up to (the maximum of our clients, in this case) 11MB/s. When I start a new upload to the server (after the actions described above) it starts and stays at 11MB/s.

It is not just one server, it concerns all servers behind our firewall, we even tested the above by moving two servers in front of the firewall and the issue automatically resolves. It also immediately returns when we place the servers behind the firewall again.

We are currently working on replacing this firewall, but since my interest in wireshark ... I should be able to confirm this entire issue with a few good captures right? What am I looking for, throughput, TCP windows sizes? All the other key points are good (like round trip time, no extremely delayed packets, no replacements of sequence numbers, this I all checked).

asked 11 Mar '14, 00:08

JoepMeloen86's gravatar image

JoepMeloen86
266611
accept rate: 50%

<bump>

Tried to create some throughput graphs, and came up with the following:

http://imageshack.com/a/img34/2668/wvcr.png

To be honest, this doesn't make much sense. Can anyone explain to me why this graph shows both high and low throughput at the same time?

(12 Mar '14, 02:40) JoepMeloen86

Really, nobody?

I zoomed in on the above graph and viewed a couple of packets that were extremely close together (hence the impression that the throughput is high and low at the same time) but could not find a difference.

How does Wireshark determine a high or low throughput? Windowsize and payload are exactly the same with each packets I compare... ?

In other terms, how does Wireshark calculate a 5MB/s throughput (for example) from a single packet?

(12 Mar '14, 08:19) JoepMeloen86

One Answer:

0

Wireshark does not calculate throughput from a single packet; it uses a 21-segment moving average. See this question for an explanation by Gerald Combs.

answered 12 Mar '14, 13:57

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Ok, sounds like that's the thing I'm looking for. However, I can't seem to verify this.

Most packets in these 40 segments have a payload of 1514 bytes, and there a no large delays (as far as I can see) between the first 20 segments and the next.

However the throughput graph is very clear that every other 20 segments is slow, fast, slow, fast, creating this weird graph.

(14 Mar '14, 01:32) JoepMeloen86