This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to Track down what device is causing latency

0

Hello All, I have read about tracking down what device is causing latency in some minor detail...is there a quick and easy way to find this info via a packet capture?

I have a vendor at a remote site that accesses an application that is hosted at my site over a Site to Site VPN tunnel. The application works great at our local site but, has high latency at the remote vendor site.

Our ISP bandwidth is 300Mbps and the remote ISP is a 100Mbps. Looking thru router interfaces it does not seem that we are maxing out our links. All other applications at the remote site are fast.

I have access to the server and client....how in Wireshark can I see what possible device is causing the latency?

Thanks, Dan

asked 28 Jun '17, 22:03

playne1414's gravatar image

playne1414
6112
accept rate: 0%

Let me first sort things out:

  • Latency and bandwidth are two different factors affecting a network connection.
  • Other factors (e.g. TCP window size or the application protocol itself) influence the performance of a network connection also.

Can you provide any further information (like latency in ms between client and server; transport protocol in use (TCP?, UDP?); application protocol in use etc.)?

That would help to get an idea of your issue.

(29 Jun '17, 05:13) Uli

Here is a little more info....its SQL transactions so I see TCP and SMB2 protocols.

I thought of the window size but, which packet has the actually window size. When I look at the SYN, ACK, SYN-ACK some report different window sizes.

How can I identify the latency time....I follow the TCP stream but, how can I correlate that with when a user press a key in the application to when it presents the data? I see the latency on the Application not sure how to follow it in wireshark.

Thanks, Dan

(29 Jun '17, 10:09) playne1414
1

Hi Dan,

"its SQL transactions so I see TCP and SMB2 protocols".. Why do you correlate directly SQL and SMB2?

As for your question I think "marker technic" can help you with correlation:

  • Go to the client PC

  • Create two one-liner batches with ping commands

    ping server IP -l 101 -n 1

    ping server IP -l 102 -n 1

  • Start capturing both on the client and server

  • Run the first batch and at the same time execute the app you're not happy about.

  • Wait for app to display result and at the same time as it's displayed run 2nd batch.

Doing so you'll get in your PCAP two ICMP packets with data length of 101 and 102 Bytes at the time of request and reply respectively.

Now just find these ICMP's in PCAP using filter

'tcp.stream ==yourstream or (icmp and data.len == 101)'

'tcp.stream ==yourstream or (icmp and data.len == 102)'

and you'll see exact time of request and reply.

(29 Jun '17, 23:38) Packet_vlad

not to be mistaken - what @Packet_vlad suggest will not tell you directly what the delay is in the application at client side, but it will highlight both delays in the transport (the request and the response) and in the application at server side. The rest is subtraction.

(30 Jun '17, 02:10) sindy