Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 467
  • Last Modified:

Need help configuring WireShark

This is my first attempt to use Wireshark.  My goal is to find the hardware in one of our buildings that is slowing down the network.  It is intermittent so that's why I'm trying Wireshark.

I've installed it on a laptop.  Connected that laptop to the switch that all the network computers are connected to.  

What I need help with is how do I configure Wireshark to show me all the packets coming and going through the switch.  The ultimate situation would be to have it only show the packets that are potential problems.  Also I don't need to see the packets of the laptop.

I hoping an Expert can assist me with this and shorten my learning curve.
0
J.R. Sitman
Asked:
J.R. Sitman
  • 34
  • 27
3 Solutions
 
Don JohnstonInstructorCommented:
That's not a wireshark configuration task.

The switch has to be configured to "span" or "mirror" the port(s) or VLAN in question.

What make/model switch?
0
 
J.R. SitmanIT DirectorAuthor Commented:
It is a Netgear 16 port.  Don't have exact model
0
 
J.R. SitmanIT DirectorAuthor Commented:
see attached
netgear.png
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Don JohnstonInstructorCommented:
That appears to be an unmanaged switch. No way to mirror ports on that model.
0
 
J.R. SitmanIT DirectorAuthor Commented:
Any suggestions on how I should use Wireshark to find my hardware problem?
0
 
Don JohnstonInstructorCommented:
It depends on what the problem is. "Slowing down" is kinda vague.

Going to need a LOT more info.

Is it just in one building? Local traffic affected or internet traffic also?  All devices, one or some? Restricted to one application or all? How long does the slowdown last? How often does it occur. How long has this been happening? Was anything done to the network or any of the computers prior to the problem occurring?

That's about 10% of the questions that come to mind. : )
0
 
J.R. SitmanIT DirectorAuthor Commented:
This should give you more details


We have 2 48 ports switches
2 physical 2008 R2 servers.  1 is a Virtual Host, which has 3 virtual servers
From our server room there is a Fiber Optics connecting our main building to a second building.
In the building where the Fiber terminates there is a 16 port switch that connects to 8 physical network jacks.
There are 4 computers connected to individual network jacks.  
There is a 5 port switch plugged into one network jack.  Into the switch there are 2 printers and 1 computer.
On one of the servers is an Access Database.
In the morning when accessing the database and opening a form, the process time is 7 seconds
At various times of the day, opening the same form the time is 30-40 seconds

If when the speed slows down on the computers in the 2nd building and I test the Database on a computer in the main building the speed has not slowed down.  

I use the database as an example because that's when they notice the problem.  The database is used in our Pet Hotel.  

When it slows I haven't tested the internet.

It is on all computers in the second building.

I don't know exactly how often it happens.  I asked them to start keeping a log today.  As an example it happened when I was there Thursday and I was there today and it didn't happen.

The only change to the network was one of the Fiber Optic devices went bad and it was looping data.  We replaced it and the speed was fast.  Now the slow is only intermittent.

Your help is greatly appreciated.
0
 
Don JohnstonInstructorCommented:
What is the speed of the fiber link between the two buildings and the speed of the computers in the second building?

There are 4 computers connected to individual network jacks.  
There is a 5 port switch plugged into one network jack.  Into the switch there are 2 printers and 1 computer.
This is in the second building? So the second building only has 6 computers an 2 printers?  Is the problem experienced by all computers in the second building?  Or just the computers on the 5-port switch?

What is the make/model on the 5-port switch?
0
 
J.R. SitmanIT DirectorAuthor Commented:
The Fiber is a 100 gig.  the computers are 3.00 and 3.20 GHz.
Yes problem is on all computers.
The 5 port switch is a netgear.  Don't know exact model #
0
 
Don JohnstonInstructorCommented:
The Fiber is a 100 gig.
100gig???  The GS116NA doesn't have a 100gig port.
the computers are 3.00 and 3.20 GHz.
What is the speed of the NETWORK connections to the computers.
Don't know exact model #
Without the model number, things devolve to speculation and guessing.
0
 
J.R. SitmanIT DirectorAuthor Commented:
I'll have them get the model # of the switch today.  The Fiber is a Unicom 10/100

How do I determine the speed of the Network connections to the computers?
0
 
J.R. SitmanIT DirectorAuthor Commented:
The Netgear 5 port is an FS105.
0
 
Don JohnstonInstructorCommented:
The LEDs on the switch will tell you that. on the GS116, if the left LED is lit, the port is running at 10mbp/s. If the right LED is on then it's 100mbp/s. If both are on, then it's 1gbp/s.

But you still haven't answered the speed of the link between the two buildings.

I would suggest getting one of the LAN speed test utilities like iperf. Set it up on the server and test from a computer in building 2 during off hours.  Then run it from 2 computers, then 3, and work your way up to all of them.  That will give you a baseline.
0
 
J.R. SitmanIT DirectorAuthor Commented:
ok.  I'll have to answers these next week when I can be there.  Thanks for helping.  Enjoy the rest of your day.
0
 
J.R. SitmanIT DirectorAuthor Commented:
The 16 port switch connected to the Fiber Optic and the 5 port switch at the desk are both running a 10mbp/s.

I ran a speed test at serveral different times on 4 of the computers in the second building from yesterday until recently.

At 4:15 pm yesterday TCP speeds were avg 8394 KBPS
at 2:30 am 8338 KBPS
On eone of the computers I noticed something odd.  When the test started, the speed was at 4200 KPBS and it continued to drop all the way to 1201.  After a reboot it was back up to 8311.  
at 11:50 am today the same computer was at 11145 KPBS.

Let me know if you need more data.

Thanks
0
 
J.R. SitmanIT DirectorAuthor Commented:
I have this managed switch at one of our other locations.  I'm going to move it to the location with the problem.  Can you help configure it or should I hire someone?

GS724T-300NAS      NETGEAR ProSafe GS724Tv3 - Switch - managed - 24 x 10/100/1000 + 2 x shared SFP - desktop
0
 
Don JohnstonInstructorCommented:
So the link between the main building and building 2 is only running at 10mbp/s?

What type of switch is at the main building that the fiber link terminates at?

There's definitely an issue with the one computer that slows down until you reboot it. But it's probably confined to that computer.

Now that you have your baseline, wait until the slowdown reoccurs and then do a network speed test at one of the building 2 computers.
0
 
J.R. SitmanIT DirectorAuthor Commented:
switch is NETGEAR ProSafe GS116 16 Port Gigabit Desktop Switch - Switch - 16 x 10/100/1000 -
desktop
0
 
Don JohnstonInstructorCommented:
The main building switch has gig ports and the building 2 switch has gig ports.  Why aren't you running that link at 1gbp/s? Or at least 100mbp/s?
0
 
J.R. SitmanIT DirectorAuthor Commented:
I don't know why it's not.  However, I found out tonight the Netgear switch might only have lights for 100 and 1000.  I'll be there tomorrow to verify.  

I've ordered a managed switch.  Will you be able to help me configure the "mirror" you have suggested?
0
 
Don JohnstonInstructorCommented:
However, I found out tonight the Netgear switch might only have lights for 100 and 1000.  I'll be there tomorrow to verify.  
If that's the case, it can still do 1gbp/s.

I've ordered a managed switch.
Your existing switches are managed.  Just because it's managed doesn't mean that it supports port mirroring. And you're not at the point where Wireshark will help. Protocol analyzers (like Wireshark) are useful to determine why a computer is having network related problems. This issue affects multiple computers. Before you start capturing packets, you at least need an idea of what you're looking for.
0
 
J.R. SitmanIT DirectorAuthor Commented:
Exactly what are you suggesting?  
Before you start capturing packets, you at least need an idea of what you're looking for.

I verified today, both switches in the 2nd building are running all connections at 100, not 10 mpbs
0
 
Don JohnstonInstructorCommented:
Before capturing packets to try and determine what the problem is, you need to isolate the problem.

For example, when this thread started, you thought the building to building link was running at 100gbp/s. Then it was 10mbp/s. Now (it sounds like) it's 100mbp/s.

Until you understand the topology and have an idea of where the problem is, capturing packets is premature.  Especially since the problem seems to affect multiple computers. Which would indicate an issue with the building to building link.

I would be interested in seeing the interface statistics for the ports that connect the building to each other.
0
 
J.R. SitmanIT DirectorAuthor Commented:
here is the switch I ordered.
NETGEAR ProSafe GS716Tv2 - Switch - managed
- 16 x 10/100/1000 + 2 x shared SFP
0
 
Don JohnstonInstructorCommented:
Page 250 of the Software Administration Manual details how to setup port mirroring.
0
 
J.R. SitmanIT DirectorAuthor Commented:
when you get time send me instructions on how to do this and I'll get the data to you.

I would be interested in seeing the interface statistics for the ports that connect the building to each other.
0
 
Don JohnstonInstructorCommented:
Page 232.
0
 
J.R. SitmanIT DirectorAuthor Commented:
I looked at the page and have no idea what to do.  Sorry
0
 
Don JohnstonInstructorCommented:
View the statistics for the port which is connected to the fiber going to the other building.  Then post them here.  Or take a screen shot and post that.
0
 
J.R. SitmanIT DirectorAuthor Commented:
I disconnected the laptop from the switch.  Can I get the information from any computer in that building?
0
 
Don JohnstonInstructorCommented:
I suppose. The switch has a web-based GUI.
0
 
J.R. SitmanIT DirectorAuthor Commented:
I'll do my best.  I hope you remember this is my "first" time doing this and using Wireshark.

 I appreciate your patience.
0
 
Don JohnstonInstructorCommented:
This has NOTHING TO DO WITH WIRESHARK!  This is about determining if there are any errors on the link between the two switches.
0
 
J.R. SitmanIT DirectorAuthor Commented:
in that case I have no idea how to do what you're asking.
0
 
Don JohnstonInstructorCommented:
Assuming that you have installed the new switch... Go to a computer on the network (any computer). Open a web browser (IE, Firefox, Chrome, etc.). Enter the IP address of the new switch in the address bar of the browser.

Once you have logged in to the switch, select the "Monitoring" tab.  Record the switch statistics displayed on the screen (or capture a screenshot). Then click on "Port Detailed Statistics". Then select the port which connects to the main building from the drop down port list.  Record the detailed port statistics displayed on the screen (or capture a screenshot).

Post the recorded information here.
0
 
J.R. SitmanIT DirectorAuthor Commented:
I believe you are referring to the "managed" switch.  It has not arrived yet.
0
 
Don JohnstonInstructorCommented:
Then there's really not much you can do at this point other than what I posted on the 25th.

Now that you have your baseline, wait until the slowdown reoccurs and then do a network speed test at one of the building 2 computers.
0
 
J.R. SitmanIT DirectorAuthor Commented:
I'll install the new switch Tuesday and update you.  Have a great Holiday.

Thanks for helping
0
 
J.R. SitmanIT DirectorAuthor Commented:
I finally got to this.  Attached are the stats.
switch.png
0
 
Don JohnstonInstructorCommented:
Out of 2.3 million packets, you had 800 with errors.  That's .03 percent. This is well below the accepted .1% level.

But your broadcast traffic is at 45%!  That's way over the 20% recommended broadcast level.

Now if these numbers have been accumulating only after hours, then that would explain the high broadcast ratio.  If this is during regular production hours, then something is generating WAY too much broadcasts.
0
 
J.R. SitmanIT DirectorAuthor Commented:
Should I clear them now and check in the morning before any user start?
0
 
Don JohnstonInstructorCommented:
I would clear them in the morning and then check the numbers after about 4 hours.
0
 
J.R. SitmanIT DirectorAuthor Commented:
ok.  I send results tomorrow.
0
 
J.R. SitmanIT DirectorAuthor Commented:
Attached is the current stats
switch-1051am.png
0
 
Don JohnstonInstructorCommented:
That broadcast rate is still high. I would start looking at the other site to figure out who's generating all that broadcast traffic.
0
 
J.R. SitmanIT DirectorAuthor Commented:
How do I do that?
0
 
Don JohnstonInstructorCommented:
Same way. Go to the other switch and check the interface statistics for each port to determine which one is generating all the broadcasts (broadcast packets/total packets=broadcast %).
0
 
J.R. SitmanIT DirectorAuthor Commented:
This is the only managed switch we have.  I can't get these stats from the other switches.

Since it is in the second building, logically the traffic has to be from one of the computers in that building, correct?

Shouldn't I clear the stats tonight after they leave and check them in a few hours or in the morning.  That would help identify if it is a user or computer.
0
 
Don JohnstonInstructorCommented:
Since it is in the second building, logically the traffic has to be from one of the computers in that building, correct?
No. This is (supposed) to be the interface that is connected to the other building. So the broadcasts would be originating there.

Shouldn't I clear the stats tonight after they leave and check them in a few hours or in the morning.  That would help identify if it is a user or computer.
Not necessarily.

I would start up Wireshark and capture traffic for a minute and then see which device(s) are generating the broadcast.
0
 
J.R. SitmanIT DirectorAuthor Commented:
Ok, I ran it, what should I be looking for?.  See sample attached
switch-capture.png
0
 
Don JohnstonInstructorCommented:
I would have a column for destination hardware address.  Otherwise scroll through until you find packet destined for 172.18.1.255 or 255.255.255.255.  Or create a filter for broadcasts.WS Capture
0
 
J.R. SitmanIT DirectorAuthor Commented:
I found 11 of these.
switch-255.png
0
 
Don JohnstonInstructorCommented:
I'm not familiar with that port. It says that it's used by Lantronix Serial to Ethernet Discovery. But it could be for anything. I would look at the device at 172.18.1.6 and try to figure out what it's using that UDP port for.
0
 
J.R. SitmanIT DirectorAuthor Commented:
172.18.1.6 is a DC.  You're going to have to help me out.  How do I check what it is using port 30718 for?  this is all a new learning project for me.
0
 
J.R. SitmanIT DirectorAuthor Commented:
I found adware on the server.  look at the attachment and let me know if it is better
switch-826pm.png
0
 
Don JohnstonInstructorCommented:
Only 10% of the traffic is unicast. The rest is broadcast/multicast with broadcast making up about 40%.  That's abnormally high.
0
 
J.R. SitmanIT DirectorAuthor Commented:
Does the attached list of the ports traffic help?
switch-ports.png
0
 
Don JohnstonInstructorCommented:
Take the number of broadcast packets received and divide it by the total number of packets received. Anything over 20% is considered high.
0
 
J.R. SitmanIT DirectorAuthor Commented:
I understand what you're teaching me, but I still don't know how to find the source.  In the last screen shot it shows one of the ports much higher than the others, is that a good place to start?
0
 
Don JohnstonInstructorCommented:
Yes. The device connected to the port receiving the traffic would be the source of the traffic.
0
 
J.R. SitmanIT DirectorAuthor Commented:
I haven't found the actual problem (it hasn't occurred again) but all of your help, has given me what I need to help find the problem.

Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 34
  • 27
Tackle projects and never again get stuck behind a technical roadblock.
Join Now