Need to find very weired bottleneck on network

I have been trying to find out a weired issue on our network that is with our web application which is hosted outside where we are...

For few users accessing this web application is nightmare (sometimes it will become fast then VERY,VERY slow then again it will work smoothly)
For few other users the web applications is continually accessible within 5 seconds without any issues...!!!!

Scenario:
ADSL Router Linksys (40 Mbps) -> Sonic-wall NSA240 (Gateway and DHCP, no differences for the users) -> PCs (Windows 7 Client)

Machine A - Public IP(whatismyip.com): 10.10.10.10 -  Accessing with ISP's proxy server settings on IE( under connection settings)  - Working like a charm - NO ISSUE AT ALL

Machine B - Public IP(whatismyip.com): 10.10.10.10  - Accessing with proxy server settings on IE - Sometimes working like charm sometimes very very slow then proxy turn off work like a charm !!!
After few minutes it will be very slow so we again turn on proxy then it will work again !!! THEN Again it will go back to SLOW....and keep continues.....................................

As I have implemented our full network infrastructure, so I can say there is no differences between machines and I have been using images for windows installations! and all users are on the same single network as well !!!

Is there any way I can monitor those two different behaviors machines to find out how traffic is going out an coming in ?


LVL 1
ShabAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rick_O_ShayCommented:
If you run Wireshark on each of the machines you can see what packets are being handled when the slowness occurs.
Also you can compare the delays in replies etc between the good PC and the slow PC.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ShabAuthor Commented:
Thanks for your reply mate,
I have installed Wireshark on one machine but how do I filter specific destination IP?
Could you please let me know how do I filter ? ip.addr == 1.1.1.1( IP address of the web application) showing empty !!!
Fred MarshallPrincipalCommented:
It helps to see those IP addresses when there's no filter and then set up the filter as you've described.  Well, at least a display filter as you've described should do it.
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

Rick_O_ShayCommented:
You can quickly confirm what addresses are being seen by going to statistics and then endpoints. Conversations will show you what two conversations are going on.

Your display filter syntax looks right if the address is 1.1.1.1.
ShabAuthor Commented:
The information which getting from Wireshark is not understandable for me :( .
Is there any Wireshark manual for packet capturing and troubleshooting !!!
Fred MarshallPrincipalCommented:
Well, it's not always understandable to me either!!  :-)
It will take some perseverance and don't be put off by the mass of data that's presented.

The advice about "conversations" is a good one so do consider that.
Staticsics tab /  Conversations / TCP:3908
Then, when the report generates, click on the Bytes column header to sort from largest to smallest.  Now you can see the IP address where the largest traffic originates and where it's going.

Now, if the issue is traffic levels that are outside the local client then you may want to set up Wireshark differently.
1) Put it on a laptop.
2) I will assume that the laptop is plugged into the LAN for convenience.  If this isn't necessary then it's a tiny bit simpler.
3) Add an ethernet interface.  I like the USB adapters for this purpose.  We'll set the IP address for this interace below...
OK - now you have an "intrumentation" computer.

Get a *hub* (not a switch).  I'm hoping that no mfr. built switches that are called "hubs" as I think I may have one of those.  I'm not sure that there are any 100Mbps hubs available but there are 10Mbps hubs.  Just expect that introducing a 10Mbps hub into the network could be a bottleneck unto itself - but with ADSL it usually isn't that bad

If you have managed switches with port mirroring capability then you may be able to avoid using the hub.

So, now you will either:
1) plug the hub into the network at some likely spot .. perhaps between the ADSL modem and the next device in the chain.  Or, if you have a managed switch at this point you would mirror the modem port to a monitoring port.
2) plug the laptop instrumentation interface into the hub or into the monitoring port on the switch.
NOTE: Since you are only going to be listening on this interface, you will probably find doing this works best:
Assign a private IP address like 192.168.99.99 ... anything that's not on a local subnet with a garden variety subnet mask like 255.255.255.0.  Leave the "gateway" entry BLANK and no DNS entries either.

Now turn on Wireshark and look at that interface.  From here it's rather up to you.

Another thing that can help a lot is to use the SNMP capability of the switches and other devices.  Most routers and managed switches just have it build in.  Using your workstation or the laptop, install the free version of PRTG.  Invest some time in figuring out what switch port is connected to which computer.  The dynamic MAC addressing tables in the switches and routers tell you what's where.  Then an arp -a on one of the computers will tell you the IP address / MAC address lineup.  Once you have SNMP set up for the switches and on a monitoring computer, you can see the traffic on each of the switch ports - which I hope includes the modem.
While this is more work to set up, the results are a lot easier to read as you're generally going to see data rates .. bandwidth being used.  And that information is a good clue to where you might want to look with Wireshark.

The reasoning goes like this:
If there is high traffic or anomalous traffic from a troubled client computer then you can see it on that computer.  But, if there is high traffic originating elsewhere then you will want to know where it is on your own network before you will be able to necessarily tell where the "other end" is and the nature of the traffic.  Looking at conversations at the modem interface with Wireshark is still a pretty good way to go in that regard though....
Rick_O_ShayCommented:
There is no easy to use manual for troubleshooting packet captures that I know of. You can get to the Wireshark user guide by clicking help.

However, sometimes from the statistics menu using the conversations or endpoints options and choosing from the various tabs then sorting the columns by the number of bytes or packets etc you can get a good idea of who is causing your issues. Once you know that it may lead you to what those devices are doing that can be corrected.

Also in the capture itself the expert flagging that Wireshark shows may give you a clue as to what is going on. It usually highlights those packets in the capture in black with red text.
Or you can see a list of all the packets expert has flagged with the analyze menu then the expert info option. If you use the severity filter in that window you can narrow down to the most serious issue noticed by Wireshark.
Rick_O_ShayCommented:
If you click help then online then the wiki you might get some ideas there as well.
digitapCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.