Solved

Need help configuring WireShark

Posted on 2013-11-23
61
432 Views
Last Modified: 2013-12-11
This is my first attempt to use Wireshark.  My goal is to find the hardware in one of our buildings that is slowing down the network.  It is intermittent so that's why I'm trying Wireshark.

I've installed it on a laptop.  Connected that laptop to the switch that all the network computers are connected to.  

What I need help with is how do I configure Wireshark to show me all the packets coming and going through the switch.  The ultimate situation would be to have it only show the packets that are potential problems.  Also I don't need to see the packets of the laptop.

I hoping an Expert can assist me with this and shorten my learning curve.
0
Comment
Question by:jrsitman
  • 34
  • 27
61 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39671996
That's not a wireshark configuration task.

The switch has to be configured to "span" or "mirror" the port(s) or VLAN in question.

What make/model switch?
0
 

Author Comment

by:jrsitman
ID: 39672000
It is a Netgear 16 port.  Don't have exact model
0
 

Author Comment

by:jrsitman
ID: 39672009
see attached
netgear.png
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39672014
That appears to be an unmanaged switch. No way to mirror ports on that model.
0
 

Author Comment

by:jrsitman
ID: 39672019
Any suggestions on how I should use Wireshark to find my hardware problem?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39672024
It depends on what the problem is. "Slowing down" is kinda vague.

Going to need a LOT more info.

Is it just in one building? Local traffic affected or internet traffic also?  All devices, one or some? Restricted to one application or all? How long does the slowdown last? How often does it occur. How long has this been happening? Was anything done to the network or any of the computers prior to the problem occurring?

That's about 10% of the questions that come to mind. : )
0
 

Author Comment

by:jrsitman
ID: 39672088
This should give you more details


We have 2 48 ports switches
2 physical 2008 R2 servers.  1 is a Virtual Host, which has 3 virtual servers
From our server room there is a Fiber Optics connecting our main building to a second building.
In the building where the Fiber terminates there is a 16 port switch that connects to 8 physical network jacks.
There are 4 computers connected to individual network jacks.  
There is a 5 port switch plugged into one network jack.  Into the switch there are 2 printers and 1 computer.
On one of the servers is an Access Database.
In the morning when accessing the database and opening a form, the process time is 7 seconds
At various times of the day, opening the same form the time is 30-40 seconds

If when the speed slows down on the computers in the 2nd building and I test the Database on a computer in the main building the speed has not slowed down.  

I use the database as an example because that's when they notice the problem.  The database is used in our Pet Hotel.  

When it slows I haven't tested the internet.

It is on all computers in the second building.

I don't know exactly how often it happens.  I asked them to start keeping a log today.  As an example it happened when I was there Thursday and I was there today and it didn't happen.

The only change to the network was one of the Fiber Optic devices went bad and it was looping data.  We replaced it and the speed was fast.  Now the slow is only intermittent.

Your help is greatly appreciated.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39672500
What is the speed of the fiber link between the two buildings and the speed of the computers in the second building?

There are 4 computers connected to individual network jacks.  
There is a 5 port switch plugged into one network jack.  Into the switch there are 2 printers and 1 computer.
This is in the second building? So the second building only has 6 computers an 2 printers?  Is the problem experienced by all computers in the second building?  Or just the computers on the 5-port switch?

What is the make/model on the 5-port switch?
0
 

Author Comment

by:jrsitman
ID: 39672690
The Fiber is a 100 gig.  the computers are 3.00 and 3.20 GHz.
Yes problem is on all computers.
The 5 port switch is a netgear.  Don't know exact model #
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39672699
The Fiber is a 100 gig.
100gig???  The GS116NA doesn't have a 100gig port.
the computers are 3.00 and 3.20 GHz.
What is the speed of the NETWORK connections to the computers.
Don't know exact model #
Without the model number, things devolve to speculation and guessing.
0
 

Author Comment

by:jrsitman
ID: 39672724
I'll have them get the model # of the switch today.  The Fiber is a Unicom 10/100

How do I determine the speed of the Network connections to the computers?
0
 

Author Comment

by:jrsitman
ID: 39672786
The Netgear 5 port is an FS105.
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 39672794
The LEDs on the switch will tell you that. on the GS116, if the left LED is lit, the port is running at 10mbp/s. If the right LED is on then it's 100mbp/s. If both are on, then it's 1gbp/s.

But you still haven't answered the speed of the link between the two buildings.

I would suggest getting one of the LAN speed test utilities like iperf. Set it up on the server and test from a computer in building 2 during off hours.  Then run it from 2 computers, then 3, and work your way up to all of them.  That will give you a baseline.
0
 

Author Comment

by:jrsitman
ID: 39672818
ok.  I'll have to answers these next week when I can be there.  Thanks for helping.  Enjoy the rest of your day.
0
 

Author Comment

by:jrsitman
ID: 39675807
The 16 port switch connected to the Fiber Optic and the 5 port switch at the desk are both running a 10mbp/s.

I ran a speed test at serveral different times on 4 of the computers in the second building from yesterday until recently.

At 4:15 pm yesterday TCP speeds were avg 8394 KBPS
at 2:30 am 8338 KBPS
On eone of the computers I noticed something odd.  When the test started, the speed was at 4200 KPBS and it continued to drop all the way to 1201.  After a reboot it was back up to 8311.  
at 11:50 am today the same computer was at 11145 KPBS.

Let me know if you need more data.

Thanks
0
 

Author Comment

by:jrsitman
ID: 39676180
I have this managed switch at one of our other locations.  I'm going to move it to the location with the problem.  Can you help configure it or should I hire someone?

GS724T-300NAS      NETGEAR ProSafe GS724Tv3 - Switch - managed - 24 x 10/100/1000 + 2 x shared SFP - desktop
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 500 total points
ID: 39676200
So the link between the main building and building 2 is only running at 10mbp/s?

What type of switch is at the main building that the fiber link terminates at?

There's definitely an issue with the one computer that slows down until you reboot it. But it's probably confined to that computer.

Now that you have your baseline, wait until the slowdown reoccurs and then do a network speed test at one of the building 2 computers.
0
 

Author Comment

by:jrsitman
ID: 39676214
switch is NETGEAR ProSafe GS116 16 Port Gigabit Desktop Switch - Switch - 16 x 10/100/1000 -
desktop
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39676491
The main building switch has gig ports and the building 2 switch has gig ports.  Why aren't you running that link at 1gbp/s? Or at least 100mbp/s?
0
 

Author Comment

by:jrsitman
ID: 39676497
I don't know why it's not.  However, I found out tonight the Netgear switch might only have lights for 100 and 1000.  I'll be there tomorrow to verify.  

I've ordered a managed switch.  Will you be able to help me configure the "mirror" you have suggested?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39676514
However, I found out tonight the Netgear switch might only have lights for 100 and 1000.  I'll be there tomorrow to verify.  
If that's the case, it can still do 1gbp/s.

I've ordered a managed switch.
Your existing switches are managed.  Just because it's managed doesn't mean that it supports port mirroring. And you're not at the point where Wireshark will help. Protocol analyzers (like Wireshark) are useful to determine why a computer is having network related problems. This issue affects multiple computers. Before you start capturing packets, you at least need an idea of what you're looking for.
0
 

Author Comment

by:jrsitman
ID: 39679407
Exactly what are you suggesting?  
Before you start capturing packets, you at least need an idea of what you're looking for.

I verified today, both switches in the 2nd building are running all connections at 100, not 10 mpbs
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39679450
Before capturing packets to try and determine what the problem is, you need to isolate the problem.

For example, when this thread started, you thought the building to building link was running at 100gbp/s. Then it was 10mbp/s. Now (it sounds like) it's 100mbp/s.

Until you understand the topology and have an idea of where the problem is, capturing packets is premature.  Especially since the problem seems to affect multiple computers. Which would indicate an issue with the building to building link.

I would be interested in seeing the interface statistics for the ports that connect the building to each other.
0
 

Author Comment

by:jrsitman
ID: 39679511
here is the switch I ordered.
NETGEAR ProSafe GS716Tv2 - Switch - managed
- 16 x 10/100/1000 + 2 x shared SFP
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39679568
Page 250 of the Software Administration Manual details how to setup port mirroring.
0
 

Author Comment

by:jrsitman
ID: 39680795
when you get time send me instructions on how to do this and I'll get the data to you.

I would be interested in seeing the interface statistics for the ports that connect the building to each other.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39680885
Page 232.
0
 

Author Comment

by:jrsitman
ID: 39681718
I looked at the page and have no idea what to do.  Sorry
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39681992
View the statistics for the port which is connected to the fiber going to the other building.  Then post them here.  Or take a screen shot and post that.
0
 

Author Comment

by:jrsitman
ID: 39682328
I disconnected the laptop from the switch.  Can I get the information from any computer in that building?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39682573
I suppose. The switch has a web-based GUI.
0
 

Author Comment

by:jrsitman
ID: 39682575
I'll do my best.  I hope you remember this is my "first" time doing this and using Wireshark.

 I appreciate your patience.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39682588
This has NOTHING TO DO WITH WIRESHARK!  This is about determining if there are any errors on the link between the two switches.
0
 

Author Comment

by:jrsitman
ID: 39682592
in that case I have no idea how to do what you're asking.
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 500 total points
ID: 39682611
Assuming that you have installed the new switch... Go to a computer on the network (any computer). Open a web browser (IE, Firefox, Chrome, etc.). Enter the IP address of the new switch in the address bar of the browser.

Once you have logged in to the switch, select the "Monitoring" tab.  Record the switch statistics displayed on the screen (or capture a screenshot). Then click on "Port Detailed Statistics". Then select the port which connects to the main building from the drop down port list.  Record the detailed port statistics displayed on the screen (or capture a screenshot).

Post the recorded information here.
0
 

Author Comment

by:jrsitman
ID: 39683883
I believe you are referring to the "managed" switch.  It has not arrived yet.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39683908
Then there's really not much you can do at this point other than what I posted on the 25th.

Now that you have your baseline, wait until the slowdown reoccurs and then do a network speed test at one of the building 2 computers.
0
 

Author Comment

by:jrsitman
ID: 39683924
I'll install the new switch Tuesday and update you.  Have a great Holiday.

Thanks for helping
0
 

Author Comment

by:jrsitman
ID: 39697228
I finally got to this.  Attached are the stats.
switch.png
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39697246
Out of 2.3 million packets, you had 800 with errors.  That's .03 percent. This is well below the accepted .1% level.

But your broadcast traffic is at 45%!  That's way over the 20% recommended broadcast level.

Now if these numbers have been accumulating only after hours, then that would explain the high broadcast ratio.  If this is during regular production hours, then something is generating WAY too much broadcasts.
0
 

Author Comment

by:jrsitman
ID: 39697283
Should I clear them now and check in the morning before any user start?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39697291
I would clear them in the morning and then check the numbers after about 4 hours.
0
 

Author Comment

by:jrsitman
ID: 39697294
ok.  I send results tomorrow.
0
 

Author Comment

by:jrsitman
ID: 39699107
Attached is the current stats
switch-1051am.png
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39699151
That broadcast rate is still high. I would start looking at the other site to figure out who's generating all that broadcast traffic.
0
 

Author Comment

by:jrsitman
ID: 39699185
How do I do that?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39699199
Same way. Go to the other switch and check the interface statistics for each port to determine which one is generating all the broadcasts (broadcast packets/total packets=broadcast %).
0
 

Author Comment

by:jrsitman
ID: 39699297
This is the only managed switch we have.  I can't get these stats from the other switches.

Since it is in the second building, logically the traffic has to be from one of the computers in that building, correct?

Shouldn't I clear the stats tonight after they leave and check them in a few hours or in the morning.  That would help identify if it is a user or computer.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39699383
Since it is in the second building, logically the traffic has to be from one of the computers in that building, correct?
No. This is (supposed) to be the interface that is connected to the other building. So the broadcasts would be originating there.

Shouldn't I clear the stats tonight after they leave and check them in a few hours or in the morning.  That would help identify if it is a user or computer.
Not necessarily.

I would start up Wireshark and capture traffic for a minute and then see which device(s) are generating the broadcast.
0
 

Author Comment

by:jrsitman
ID: 39699441
Ok, I ran it, what should I be looking for?.  See sample attached
switch-capture.png
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39699538
I would have a column for destination hardware address.  Otherwise scroll through until you find packet destined for 172.18.1.255 or 255.255.255.255.  Or create a filter for broadcasts.WS Capture
0
 

Author Comment

by:jrsitman
ID: 39699605
I found 11 of these.
switch-255.png
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39699668
I'm not familiar with that port. It says that it's used by Lantronix Serial to Ethernet Discovery. But it could be for anything. I would look at the device at 172.18.1.6 and try to figure out what it's using that UDP port for.
0
 

Author Comment

by:jrsitman
ID: 39699725
172.18.1.6 is a DC.  You're going to have to help me out.  How do I check what it is using port 30718 for?  this is all a new learning project for me.
0
 

Author Comment

by:jrsitman
ID: 39700139
I found adware on the server.  look at the attachment and let me know if it is better
switch-826pm.png
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39700142
Only 10% of the traffic is unicast. The rest is broadcast/multicast with broadcast making up about 40%.  That's abnormally high.
0
 

Author Comment

by:jrsitman
ID: 39700914
Does the attached list of the ports traffic help?
switch-ports.png
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39700970
Take the number of broadcast packets received and divide it by the total number of packets received. Anything over 20% is considered high.
0
 

Author Comment

by:jrsitman
ID: 39701313
I understand what you're teaching me, but I still don't know how to find the source.  In the last screen shot it shows one of the ports much higher than the others, is that a good place to start?
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39701599
Yes. The device connected to the port receiving the traffic would be the source of the traffic.
0
 

Author Closing Comment

by:jrsitman
ID: 39711730
I haven't found the actual problem (it hasn't occurred again) but all of your help, has given me what I need to help find the problem.

Thanks
0

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now