This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi everyone,

These past 2 weeks have been an amazing journey for me. I have been working in IT for about 15 years and I have had my occasional brushes with Wireshark in my past but apart from collecting a quick packet capture to send to a third party or inefficiently try and decipher each line for some sense in what is going on. One thing i did know is that I realized I really didn't know my stuff on Wireshark.

I decided to take the plunge 2 weeks ago. I purchased the Wireshark 101 , Troubleshooting Performance and the Network Analysis Second Edition from Amazon. I have been hooked and have finished 101 last week and Troubleshooting yesterday. The books have been amazing! Thank you Laura!

I am still a bit unsure about a few things like SACK, Retransmissions and the != but I am sure going over the materials again and using the skills practically I will become better versed.

Now I am thinking what is next? I am looking at a network issue but more on this shortly...

I would like to become a better versed in Wireshark and also work towards becoming certified. Being based in the UK has anyone else got the WCNA? Is there any UK Wireshark Gurus?

What is the next best step for someone who cannot afford thousands for a course? Is the all Access Pass the best thing to go for if I want to try and towards a WCNA? Can someone give me some advice as the next best steps please?

In my work I am currently looking at a network issues which my company has had for many years. The network comprises of our main office connecting via MPLS to our datacentre 100 miles away. Users connect to the internet via a transparent Scansafe proxy which is based in the data centre and the internet breakout point again is in a different datacentre.

If i remotely connect to the proxy and test net performance I get about 8MB/s when I connect to that proxy from another machine in the same subnet I still get the 8MB. As soon as I connect from a machine in the Main office speeds go down to 700KB/s. This is not just internet traffic it is all traffic SMB as well.

With third parties all pointing the finger at each other (The MPLS to the firewall network guying) I have been quietly collecting packet captures and analysing them from the client and Proxy.

My captures were taken on the client and on the proxy with no taps or port spanning used. I am getting allot of errors ...in a 6 minute capture of 500MB: 34 Acknowledgment number: Broken TCP. The acknowledge is nonzero. 26 out of order segments 20 acked segment that wasn't captured 25 previous segment not captured. 16 window is full 15 Zero Window

Note show 754 retransmissions, 37 fast retranmissions I could go on.

The client capture is not as bad ..36 ack segment wasnt captured and 5 previous segment not captured.. 219 retransmissions and many duplicate acks and keep alive.

With my inexperience I am just overwhelmed with a capture file that has the majority of the books problems all in one capture. I think it is a dodgy switch because I think too many packets are being dropped in such a short time ..or is it short? what is an exceptible number? Packets out of order and retransmissions make me think about the switch but the window full and zero window is it something else. How do i address and what are my steps of attack?

I have looked at the graphs and couldn't see any correlation from the traffic and the tcp.analysis.flag && !tcp.analysis.window.update but I have about 1503 out of 510217.

I have decided to ask the mpls guys for a capture tomorrow in the hope to see something there in the hope to narrow down my search but I am really unsure about my next steps.

Can any network guru give me some tips as I have filled in the checklist pdf but with a checklist with allot going wrong ...where do i begin?

Many thanks for all your time in reading my mail.

Jazz

asked 22 Apr '14, 13:42

yoyomonkey's gravatar image

yoyomonkey
0226
accept rate: 0%


You always begin with the basics.

Before taking the test finish reading Network Analysis and don't skip the practice questions. I would also advice to look at other books like The TCP/IP Guide or Internet Core Protocols.. Don't forget to check out the presentations from previous Sharkfests. For the WCNA you can use the Exam Prep Guide.

In regards to the other question, focus on one source and one destination (please don't test with SMB) and if the network diagram is similar to the one below you have to start the packet capture (simultaneously) on the firewalls or as close to the MPLS routers as possible. Then you can see if the issue is in your network or the ISP.

PC in HQ - Firewall - MPLS Router - ISP - MPLS router - Firewall - Proxy in DC
permanent link

answered 22 Apr '14, 14:54

Roland's gravatar image

Roland
7642415
accept rate: 13%

Thank you do much sir for your advice and help.I have made a start in the network analysis book.

I did ask the network guys fie packet captures on the firewall who also said they could only.provide this by plugging a a laptop into the firewall

I am worried about this as the throughout of days is high and if they are spanning ports or using a tap they may lose packets from the capture obscuring the problem further?

The books you recommend I will get them ordered from Amazon who are the authors please?

Is the access pass worth the 699 and should I wait till after I have covered the network analysis or do they go hand in hand.

Thanks again for all your advice and help I know I am a very long way off the wcna but with your help I have something to aim for :)

Cheers

Jazz

(22 Apr '14, 18:07) yoyomonkey

FYI, I just converted your 'answer' to a 'comment'. To respond to an answer you can use the text box that has 'comment' next to it. The bottom text box is for posting an answer to the question.

(22 Apr '14, 19:05) Quadratic

Oh apologies and thanks for correcting this for me quadratic. cheers jazz

(23 Apr '14, 07:21) yoyomonkey

I don't know what firewalls you are using but most of them have an option to capture packets. You can read the TCP/IP Guide for free online and the other book was written by Eric Hall. A lot of information is free so I would not spend money unless it's necessary. Keep practicing.

(26 Apr '14, 06:09) Roland
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×12
×10
×10
×2
×2

question asked: 22 Apr '14, 13:42

question was seen: 5,075 times

last updated: 26 Apr '14, 06:09

p​o​w​e​r​e​d by O​S​Q​A