This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can’t figure out why web app is slow to respond - pcap

0

Hi FOlks:

My company uses a 3rd party cloud-application. When performing a function using the web interface browser, the application server doesnt seem to respond, but it really does. It takes over a minute for it to give any visual indication that it's working, but it does complete.

The 3rd party vendor doesn't have any idea why it's running like this.

I used Wireshark to capture the browser<->server request/response. There's some things about not being able to re-assemble the packets, but I'm not able to fully figure out what is really happening.

  1. User goes to the browser, logs into the App. WOrks fine.
  2. User navigates to page to look up a container. Enters the container ID, presses enter.
  3. The browser appears to do nothing. Eventually, a web busy spinner shows up (after about 40 seconds).
  4. A few seconds after that (maybe around 1 minute total), the app responds.

There are no errors. The web application actually completes the request. but it should be happening in < 1 to 2 seconds, not 50-75 seconds.

The third party vendor says their server is running fine. I used Wireshark to capture a brief session. In looking at it, there's some re-assembly errors. But I honestly can't figure this out.

I'm trying to understand if there's something on our end (our internal network), or if there's something at issue with their web server/network. I'm trying to not finger point, but simply root cause.

Would anyone be willing to look at this capture and see if anything obvious stands out? I see a reassembly issue, but outside of that, I don't see anything obvious. Then again, I'm hardly an expert here.

THe web appliation never gives an error. It always completes. But in looking at the capture it almost seems like sockets between client and server are started then closed, then started on a different client ephemeral port.

The destination server in the PCAP is 192.243.221.226, port 80. My client is 192.168.1.117.

I'm not trying to prove that there's a fault on their end or an application issue. I'm just trying to see if there's some fundamental networking issue / problem first. THe web application is an IIS app on port 80.

I've uploaded the PCAP to the url in the body of this post. ANyways, I honestly can't understand what is happening. Looks like there's a re-assembly error (at #1934), an RST (#1051). But by the end of the capture, the web page finally finishes the request without error.

I could really use some help. Like I said, not trying to point fingers. Just trying to root cause.

If there's anyone who'd be willing to look at the capture and let me know what you think, I'd be so grateful.

capture file

asked 27 Jul '16, 17:18

bubbawny's gravatar image

bubbawny
6112
accept rate: 0%

edited 28 Jul '16, 02:55

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

1

The answer to this problem lies in the http.data field which identifies the GMT timestamp when the web server was sending the HTTP OK messages. The client's clock doesn't seem too far away from the time-stamp at the server by looking at these packets, approximately 200 ms. alt text For non-delayed responses, the answer from the server http.time arrives between 50 - 80 ms.
Not so for the first and the last requests (26) on the tcp.stream==0 which arrive 2.3 and 22 seconds after the requests.

alt text

alt text The timestamps in the http.date indicate that the server was already late sending those. For me clearly a slow HTTP server ( or Application server or backend systems)

Regards Matthias

answered 31 Jul '16, 13:12

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%