Hello All, I have read about tracking down what device is causing latency in some minor detail...is there a quick and easy way to find this info via a packet capture? I have a vendor at a remote site that accesses an application that is hosted at my site over a Site to Site VPN tunnel. The application works great at our local site but, has high latency at the remote vendor site. Our ISP bandwidth is 300Mbps and the remote ISP is a 100Mbps. Looking thru router interfaces it does not seem that we are maxing out our links. All other applications at the remote site are fast. I have access to the server and client....how in Wireshark can I see what possible device is causing the latency? Thanks, Dan asked 28 Jun '17, 22:03 playne1414 |
Let me first sort things out:
Can you provide any further information (like latency in ms between client and server; transport protocol in use (TCP?, UDP?); application protocol in use etc.)?
That would help to get an idea of your issue.
Here is a little more info....its SQL transactions so I see TCP and SMB2 protocols.
I thought of the window size but, which packet has the actually window size. When I look at the SYN, ACK, SYN-ACK some report different window sizes.
How can I identify the latency time....I follow the TCP stream but, how can I correlate that with when a user press a key in the application to when it presents the data? I see the latency on the Application not sure how to follow it in wireshark.
Thanks, Dan
Hi Dan,
"its SQL transactions so I see TCP and SMB2 protocols".. Why do you correlate directly SQL and SMB2?
As for your question I think "marker technic" can help you with correlation:
Go to the client PC
Create two one-liner batches with ping commands
ping server IP -l 101 -n 1
ping server IP -l 102 -n 1
Start capturing both on the client and server
Run the first batch and at the same time execute the app you're not happy about.
Wait for app to display result and at the same time as it's displayed run 2nd batch.
Doing so you'll get in your PCAP two ICMP packets with data length of 101 and 102 Bytes at the time of request and reply respectively.
Now just find these ICMP's in PCAP using filter
'tcp.stream ==yourstream or (icmp and data.len == 101)'
'tcp.stream ==yourstream or (icmp and data.len == 102)'
and you'll see exact time of request and reply.
not to be mistaken - what @Packet_vlad suggest will not tell you directly what the delay is in the application at client side, but it will highlight both delays in the transport (the request and the response) and in the application at server side. The rest is subtraction.
See also https://blog.packet-foo.com/2014/10/determining-frame-forwarding-latency/