Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 454
  • Last Modified:

Need help configuring WireShark

This is my first attempt to use Wireshark.  My goal is to find the hardware in one of our buildings that is slowing down the network.  It is intermittent so that's why I'm trying Wireshark.

I've installed it on a laptop.  Connected that laptop to the switch that all the network computers are connected to.  

What I need help with is how do I configure Wireshark to show me all the packets coming and going through the switch.  The ultimate situation would be to have it only show the packets that are potential problems.  Also I don't need to see the packets of the laptop.

I hoping an Expert can assist me with this and shorten my learning curve.
0
J.R. Sitman
Asked:
J.R. Sitman
  • 34
  • 27
3 Solutions
 
Don JohnstonCommented:
That's not a wireshark configuration task.

The switch has to be configured to "span" or "mirror" the port(s) or VLAN in question.

What make/model switch?
0
 
J.R. SitmanAuthor Commented:
It is a Netgear 16 port.  Don't have exact model
0
 
J.R. SitmanAuthor Commented:
see attached
netgear.png
0
Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

 
Don JohnstonCommented:
That appears to be an unmanaged switch. No way to mirror ports on that model.
0
 
J.R. SitmanAuthor Commented:
Any suggestions on how I should use Wireshark to find my hardware problem?
0
 
Don JohnstonCommented:
It depends on what the problem is. "Slowing down" is kinda vague.

Going to need a LOT more info.

Is it just in one building? Local traffic affected or internet traffic also?  All devices, one or some? Restricted to one application or all? How long does the slowdown last? How often does it occur. How long has this been happening? Was anything done to the network or any of the computers prior to the problem occurring?

That's about 10% of the questions that come to mind. : )
0
 
J.R. SitmanAuthor Commented:
This should give you more details


We have 2 48 ports switches
2 physical 2008 R2 servers.  1 is a Virtual Host, which has 3 virtual servers
From our server room there is a Fiber Optics connecting our main building to a second building.
In the building where the Fiber terminates there is a 16 port switch that connects to 8 physical network jacks.
There are 4 computers connected to individual network jacks.  
There is a 5 port switch plugged into one network jack.  Into the switch there are 2 printers and 1 computer.
On one of the servers is an Access Database.
In the morning when accessing the database and opening a form, the process time is 7 seconds
At various times of the day, opening the same form the time is 30-40 seconds

If when the speed slows down on the computers in the 2nd building and I test the Database on a computer in the main building the speed has not slowed down.  

I use the database as an example because that's when they notice the problem.  The database is used in our Pet Hotel.  

When it slows I haven't tested the internet.

It is on all computers in the second building.

I don't know exactly how often it happens.  I asked them to start keeping a log today.  As an example it happened when I was there Thursday and I was there today and it didn't happen.

The only change to the network was one of the Fiber Optic devices went bad and it was looping data.  We replaced it and the speed was fast.  Now the slow is only intermittent.

Your help is greatly appreciated.
0
 
Don JohnstonCommented:
What is the speed of the fiber link between the two buildings and the speed of the computers in the second building?

There are 4 computers connected to individual network jacks.  
There is a 5 port switch plugged into one network jack.  Into the switch there are 2 printers and 1 computer.
This is in the second building? So the second building only has 6 computers an 2 printers?  Is the problem experienced by all computers in the second building?  Or just the computers on the 5-port switch?

What is the make/model on the 5-port switch?
0
 
J.R. SitmanAuthor Commented:
The Fiber is a 100 gig.  the computers are 3.00 and 3.20 GHz.
Yes problem is on all computers.
The 5 port switch is a netgear.  Don't know exact model #
0
 
Don JohnstonCommented:
The Fiber is a 100 gig.
100gig???  The GS116NA doesn't have a 100gig port.
the computers are 3.00 and 3.20 GHz.
What is the speed of the NETWORK connections to the computers.
Don't know exact model #
Without the model number, things devolve to speculation and guessing.
0
 
J.R. SitmanAuthor Commented:
I'll have them get the model # of the switch today.  The Fiber is a Unicom 10/100

How do I determine the speed of the Network connections to the computers?
0
 
J.R. SitmanAuthor Commented:
The Netgear 5 port is an FS105.
0
 
Don JohnstonCommented:
The LEDs on the switch will tell you that. on the GS116, if the left LED is lit, the port is running at 10mbp/s. If the right LED is on then it's 100mbp/s. If both are on, then it's 1gbp/s.

But you still haven't answered the speed of the link between the two buildings.

I would suggest getting one of the LAN speed test utilities like iperf. Set it up on the server and test from a computer in building 2 during off hours.  Then run it from 2 computers, then 3, and work your way up to all of them.  That will give you a baseline.
0
 
J.R. SitmanAuthor Commented:
ok.  I'll have to answers these next week when I can be there.  Thanks for helping.  Enjoy the rest of your day.
0
 
J.R. SitmanAuthor Commented:
The 16 port switch connected to the Fiber Optic and the 5 port switch at the desk are both running a 10mbp/s.

I ran a speed test at serveral different times on 4 of the computers in the second building from yesterday until recently.

At 4:15 pm yesterday TCP speeds were avg 8394 KBPS
at 2:30 am 8338 KBPS
On eone of the computers I noticed something odd.  When the test started, the speed was at 4200 KPBS and it continued to drop all the way to 1201.  After a reboot it was back up to 8311.  
at 11:50 am today the same computer was at 11145 KPBS.

Let me know if you need more data.

Thanks
0
 
J.R. SitmanAuthor Commented:
I have this managed switch at one of our other locations.  I'm going to move it to the location with the problem.  Can you help configure it or should I hire someone?

GS724T-300NAS      NETGEAR ProSafe GS724Tv3 - Switch - managed - 24 x 10/100/1000 + 2 x shared SFP - desktop
0
 
Don JohnstonCommented:
So the link between the main building and building 2 is only running at 10mbp/s?

What type of switch is at the main building that the fiber link terminates at?

There's definitely an issue with the one computer that slows down until you reboot it. But it's probably confined to that computer.

Now that you have your baseline, wait until the slowdown reoccurs and then do a network speed test at one of the building 2 computers.
0
 
J.R. SitmanAuthor Commented:
switch is NETGEAR ProSafe GS116 16 Port Gigabit Desktop Switch - Switch - 16 x 10/100/1000 -
desktop
0
 
Don JohnstonCommented:
The main building switch has gig ports and the building 2 switch has gig ports.  Why aren't you running that link at 1gbp/s? Or at least 100mbp/s?
0
 
J.R. SitmanAuthor Commented:
I don't know why it's not.  However, I found out tonight the Netgear switch might only have lights for 100 and 1000.  I'll be there tomorrow to verify.  

I've ordered a managed switch.  Will you be able to help me configure the "mirror" you have suggested?
0
 
Don JohnstonCommented:
However, I found out tonight the Netgear switch might only have lights for 100 and 1000.  I'll be there tomorrow to verify.  
If that's the case, it can still do 1gbp/s.

I've ordered a managed switch.
Your existing switches are managed.  Just because it's managed doesn't mean that it supports port mirroring. And you're not at the point where Wireshark will help. Protocol analyzers (like Wireshark) are useful to determine why a computer is having network related problems. This issue affects multiple computers. Before you start capturing packets, you at least need an idea of what you're looking for.
0
 
J.R. SitmanAuthor Commented:
Exactly what are you suggesting?  
Before you start capturing packets, you at least need an idea of what you're looking for.

I verified today, both switches in the 2nd building are running all connections at 100, not 10 mpbs
0
 
Don JohnstonCommented:
Before capturing packets to try and determine what the problem is, you need to isolate the problem.

For example, when this thread started, you thought the building to building link was running at 100gbp/s. Then it was 10mbp/s. Now (it sounds like) it's 100mbp/s.

Until you understand the topology and have an idea of where the problem is, capturing packets is premature.  Especially since the problem seems to affect multiple computers. Which would indicate an issue with the building to building link.

I would be interested in seeing the interface statistics for the ports that connect the building to each other.
0
 
J.R. SitmanAuthor Commented:
here is the switch I ordered.
NETGEAR ProSafe GS716Tv2 - Switch - managed
- 16 x 10/100/1000 + 2 x shared SFP
0
 
Don JohnstonCommented:
Page 250 of the Software Administration Manual details how to setup port mirroring.
0
 
J.R. SitmanAuthor Commented:
when you get time send me instructions on how to do this and I'll get the data to you.

I would be interested in seeing the interface statistics for the ports that connect the building to each other.
0
 
Don JohnstonCommented:
Page 232.
0
 
J.R. SitmanAuthor Commented:
I looked at the page and have no idea what to do.  Sorry
0
 
Don JohnstonCommented:
View the statistics for the port which is connected to the fiber going to the other building.  Then post them here.  Or take a screen shot and post that.
0
 
J.R. SitmanAuthor Commented:
I disconnected the laptop from the switch.  Can I get the information from any computer in that building?
0
 
Don JohnstonCommented:
I suppose. The switch has a web-based GUI.
0
 
J.R. SitmanAuthor Commented:
I'll do my best.  I hope you remember this is my "first" time doing this and using Wireshark.

 I appreciate your patience.
0
 
Don JohnstonCommented:
This has NOTHING TO DO WITH WIRESHARK!  This is about determining if there are any errors on the link between the two switches.
0
 
J.R. SitmanAuthor Commented:
in that case I have no idea how to do what you're asking.
0
 
Don JohnstonCommented:
Assuming that you have installed the new switch... Go to a computer on the network (any computer). Open a web browser (IE, Firefox, Chrome, etc.). Enter the IP address of the new switch in the address bar of the browser.

Once you have logged in to the switch, select the "Monitoring" tab.  Record the switch statistics displayed on the screen (or capture a screenshot). Then click on "Port Detailed Statistics". Then select the port which connects to the main building from the drop down port list.  Record the detailed port statistics displayed on the screen (or capture a screenshot).

Post the recorded information here.
0
 
J.R. SitmanAuthor Commented:
I believe you are referring to the "managed" switch.  It has not arrived yet.
0
 
Don JohnstonCommented:
Then there's really not much you can do at this point other than what I posted on the 25th.

Now that you have your baseline, wait until the slowdown reoccurs and then do a network speed test at one of the building 2 computers.
0
 
J.R. SitmanAuthor Commented:
I'll install the new switch Tuesday and update you.  Have a great Holiday.

Thanks for helping
0
 
J.R. SitmanAuthor Commented:
I finally got to this.  Attached are the stats.
switch.png
0
 
Don JohnstonCommented:
Out of 2.3 million packets, you had 800 with errors.  That's .03 percent. This is well below the accepted .1% level.

But your broadcast traffic is at 45%!  That's way over the 20% recommended broadcast level.

Now if these numbers have been accumulating only after hours, then that would explain the high broadcast ratio.  If this is during regular production hours, then something is generating WAY too much broadcasts.
0
 
J.R. SitmanAuthor Commented:
Should I clear them now and check in the morning before any user start?
0
 
Don JohnstonCommented:
I would clear them in the morning and then check the numbers after about 4 hours.
0
 
J.R. SitmanAuthor Commented:
ok.  I send results tomorrow.
0
 
J.R. SitmanAuthor Commented:
Attached is the current stats
switch-1051am.png
0
 
Don JohnstonCommented:
That broadcast rate is still high. I would start looking at the other site to figure out who's generating all that broadcast traffic.
0
 
J.R. SitmanAuthor Commented:
How do I do that?
0
 
Don JohnstonCommented:
Same way. Go to the other switch and check the interface statistics for each port to determine which one is generating all the broadcasts (broadcast packets/total packets=broadcast %).
0
 
J.R. SitmanAuthor Commented:
This is the only managed switch we have.  I can't get these stats from the other switches.

Since it is in the second building, logically the traffic has to be from one of the computers in that building, correct?

Shouldn't I clear the stats tonight after they leave and check them in a few hours or in the morning.  That would help identify if it is a user or computer.
0
 
Don JohnstonCommented:
Since it is in the second building, logically the traffic has to be from one of the computers in that building, correct?
No. This is (supposed) to be the interface that is connected to the other building. So the broadcasts would be originating there.

Shouldn't I clear the stats tonight after they leave and check them in a few hours or in the morning.  That would help identify if it is a user or computer.
Not necessarily.

I would start up Wireshark and capture traffic for a minute and then see which device(s) are generating the broadcast.
0
 
J.R. SitmanAuthor Commented:
Ok, I ran it, what should I be looking for?.  See sample attached
switch-capture.png
0
 
Don JohnstonCommented:
I would have a column for destination hardware address.  Otherwise scroll through until you find packet destined for 172.18.1.255 or 255.255.255.255.  Or create a filter for broadcasts.WS Capture
0
 
J.R. SitmanAuthor Commented:
I found 11 of these.
switch-255.png
0
 
Don JohnstonCommented:
I'm not familiar with that port. It says that it's used by Lantronix Serial to Ethernet Discovery. But it could be for anything. I would look at the device at 172.18.1.6 and try to figure out what it's using that UDP port for.
0
 
J.R. SitmanAuthor Commented:
172.18.1.6 is a DC.  You're going to have to help me out.  How do I check what it is using port 30718 for?  this is all a new learning project for me.
0
 
J.R. SitmanAuthor Commented:
I found adware on the server.  look at the attachment and let me know if it is better
switch-826pm.png
0
 
Don JohnstonCommented:
Only 10% of the traffic is unicast. The rest is broadcast/multicast with broadcast making up about 40%.  That's abnormally high.
0
 
J.R. SitmanAuthor Commented:
Does the attached list of the ports traffic help?
switch-ports.png
0
 
Don JohnstonCommented:
Take the number of broadcast packets received and divide it by the total number of packets received. Anything over 20% is considered high.
0
 
J.R. SitmanAuthor Commented:
I understand what you're teaching me, but I still don't know how to find the source.  In the last screen shot it shows one of the ports much higher than the others, is that a good place to start?
0
 
Don JohnstonCommented:
Yes. The device connected to the port receiving the traffic would be the source of the traffic.
0
 
J.R. SitmanAuthor Commented:
I haven't found the actual problem (it hasn't occurred again) but all of your help, has given me what I need to help find the problem.

Thanks
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 34
  • 27
Tackle projects and never again get stuck behind a technical roadblock.
Join Now