This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

So, is there a place to submit packet captures for the network-smart to dissect?

0

I saw a thread on the Steam Users' Forum about someone who was getting like, 12 kB/s download speed specifically in his Steam game client. Since he was at the end of his rope, I told him to try capturing with Wireshark and see if anything obvious pops out. He posted packet captures whilst trying to download and while not, and I couldn't find anything obvious. Is there a proper place to post packet captures for those who are skilled with networking to poke through and look for problems?

asked 14 Nov '10, 19:27

hmmwhatsthisdo's gravatar image

hmmwhatsthisdo
31347
accept rate: 0%


3 Answers:

0

If your friend is comfortable uploading his network data to the web, he can upload it to www.cloudshark.org, from which others can view the data...finding someone versed in the Steam client's protocol(s) is a different matter.

(I am unaffiliated with CloudShark. No warranty express or implied. Void in Rhode Island. You get the idea.)

answered 14 Nov '10, 19:32

wesmorgan1's gravatar image

wesmorgan1
411101221
accept rate: 4%

edited 14 Nov '10, 19:34

He already uploaded the packet data, I'm just looking for somewhere to have people poke through it and see if they notice anything wrong. I didn't want to immediately post it here, because this site appears to be for, well, Wireshark. Posting a thread asking for people to look through something might have been taken the wrong way.

(14 Nov '10, 19:34) hmmwhatsthisdo

Where is online (the trace file)? There are a lot of folks here who can take a quick look.

(14 Nov '10, 19:41) hansangb

Well, the thread is here, the packet capture with Steam running (In case you didn't know, Steam is a game client, sort of like iTunes for games) is here, and the packet capture w/o Steam running is here. From what I can tell, the actual traffic is between 192.168.1.101 and 66.77.49.4, the latter being a Valve content server AFAIK.

(14 Nov '10, 19:48) hmmwhatsthisdo

0

The trace file uploaded shows numerous packets lost in the proces and an interesting "pace" to data sent to your friend's Steam client. It appears the Steam server sends data at a relatively constant 95ms rate with few deviations. In general, not a blazing spew of data...

In Wireshark, select View > Coloring Rules > Disable the Checksum Errors rule. Now look at Analyze > Expert Info Composite to see the errors (disregard checksum errors) and look at the Warnings and Notes tabs. Duplicate ACKs are requests for the missing packets. Retransmissions and Fast Retransmissions are the well... retransmissions of missing packets. Now assuming the game cannot move forward without those packets, your friend is likely experiencing a slow down as TCP recovers from the lost packets.

What can your friend do? Well... given that some router along the path to 66.77.49.4 may be dropping the packets, it may be difficult to locate.

answered 14 Nov '10, 21:34

lchappell's gravatar image

lchappell ♦
1.2k2730
accept rate: 8%

edited 14 Nov '10, 21:39

Should I have him do a tracert to the Valve content server IP and look for say, points where the hop time dramatically increases?

(15 Nov '10, 16:30) hmmwhatsthisdo

I had him do a tracert to the content server, results shown here.

(15 Nov '10, 17:35) hmmwhatsthisdo

0

Looking at the "download" capture I see:

  1. There are two connections each of which is receiving data in a similar fashion. (Two separate downloads ?)
  2. For the most part the sending (remote) IP on each connection is sending 1 frame just about every 95 millisecs. The (local) receiver is acknowledging almost immediately and is advertising a full size window. (Ie: the receiver is ready and willing to receive more data).
  3. There's a fair amount of lost packets requiring retransmissions. This just makes things worse but is really a secondary effect compared to the fact that the sender is sending 1 frame every 95 millisecs.

I've no knowledge about (configuring for) Steam and don't know anything about your setup so I'll just say the following:

It sure looks like something is going on that is pacing the connection (especially given that it seems that other downloads work AOK). To me it seems pretty unnatural that frames should be received almost always about every 95 millisecs.

Is it a clue that the same effect is seen from 2 different destination IP's (using the same TCP port 27030) ?

answered 14 Nov '10, 21:45

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

The port 27030 definitely means something - the Steam client almost always uses ports in the 270xx range. When I looked up the secondary destination IP (assuming you meant the 4.xx.xx.xx one), it appeared to be an ISP server. The person who's experiencing the problem has contacted their ISP, who told them that they don't interfere with connections, but the ISP support rep may have been misinformed.

(15 Nov '10, 16:39) hmmwhatsthisdo