This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi All,

We have web server x that talks to domain controller y to authenticate a user constantly over a 2 hours period What we are finding is that like clockwork every 5 minutes we are getting high response times for a short period

What I have also noticed is the trace is adding entries multiple times a second but when I notice the lag there are time gaps within wireshark until it passes

I ran wireshark on both servers and around the time we get a lot of TCP errors on the DC side

What is the best way to upload the trace, its a TXT file

Thanks in advance

asked 06 Dec '16, 07:00

foowish's gravatar image

foowish
6113
accept rate: 0%

edited 06 Dec '16, 07:02

Much prefer a Wireshark capture file, either pcap or pcapng at a file sharing service, e.g. CloudShark, Google Drive, Dropbox etc.

(06 Dec '16, 07:14) grahamb ♦

Hi thanks for the response. I can upload but I need to omit all ip address information for security reasons

(06 Dec '16, 07:16) foowish

Then see TraceWrangler that can anonymise captures.

(06 Dec '16, 07:19) grahamb ♦

Thanks Graham ive upload it using the following link

https://drive.google.com/open?id=0B1EcZKOSIZVUelhka2RFejFRRTQ

(06 Dec '16, 07:51) foowish

It is not much worth from my point of view. Segemntation offload is enabled. We can´t see what really happens at the network.

(06 Dec '16, 12:04) Christian_R

What do you suggest I do to get a better capture. I can run my script to reproduce the lag at 5 minute intervals

Really stuck on this issue Help is definitely appreciated

(07 Dec '16, 00:48) foowish

Either capture elsewhere than the client, e.g. a switch span or mirror port or a tap, or turn off segmentation offload on the capture system.

(07 Dec '16, 02:38) grahamb ♦

This is a very poor quality capture. The sniffer dropped 680KB of packets or around 85%. Further, it is only 20 secs long. If I were capturing, I'd try to collect equal times of "good" and "bad" behaviours.

(08 Dec '16, 04:08) Philst

Hi, thanks for the reply. I think I'm closer. I ran a trace on one of the affected destination addresses and around the time of the lag we have a couple of SQL servers hammering out DC....then we notice TCP gets messed up with unack packets retransmits etc so it's like it's doing a DOS attack. Now I need to work out what is going on on these source addresses. There does seem to be a pattern

(08 Dec '16, 04:19) foowish
showing 5 of 9 show 4 more comments

Hi worked out what it was in the end. Was our monitoring service hammering LDAP queries at our dc

permanent link

answered 13 Dec '16, 07:24

foowish's gravatar image

foowish
6113
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×104
×42
×9

question asked: 06 Dec '16, 07:00

question was seen: 1,218 times

last updated: 13 Dec '16, 07:24

p​o​w​e​r​e​d by O​S​Q​A