Network Analysis





Network analysis is the process of identifying and remediating the processes and systems within a network, including performance, connectivity and security. The process is performed through the use of tools developed for monitoring and analyzing network activity. Network problems that involve finding an optimal way of doing something are studied under the name combinatorial optimization. Examples include network flow, shortest path problem, transport problem, transshipment problem, location problem, matching problem, assignment problem, packing problem, routing problem, Critical Path Analysis and PERT (Program Evaluation & Review Technique).

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi - we have a wired/wireless network at a school, multiple VLANS, IP phone system, using a Sonicwall NSA2600. For the last 4 days, I received calls where the internet was "down" for the computers, yet the phones were working (both coming into the building and going out of the building). I was NOT able to access any computers that I have unattended access to, except for the computers that are on only 1 VLAN. So this 1 VLAN and the phone system, both still DHCP, were unaffected by this issue. A simple reboot of the firewall "fixes" the issue temporarily, so they're at least back up and running. The most puzzling part of troubleshooting this is, why this one VLAN isn't affected by the issue where every other one is. Initially I thought it may have been a router that a student setup (intentionally) creating a rogue DHCP server, or some type of broadcast storm. But still cant figure out why that one VLAN is unaffected. Anyone have a good way of tackling this one?
Fundamentals of JavaScript
LVL 19
Fundamentals of JavaScript

Learn the fundamentals of the popular programming language JavaScript so that you can explore the realm of web development.

Does anyone know what would cause a Port 445 RST from the internal network?  I ran a packet capture mirroring the external interface and they appear to be from the internal network and what is interesting is that one source IP that we're seeing, we have it dropped or send to null 0 on the core routers so not sure why would we still see any packet from this network.
I use Wireshark to capture the IEEE 1722.1 messages. Please see the attached.  I was not able to see the source and destination port number.   I tried to remove the entry in the Decode As popup dialog and save the empty 'Decode As' configuration.  But failed. When I reopened the 'Decode As' Dialog, the entry does not got removed.
How can I configure Wireshark to show ports used in the IEEE 1722.1 message?  Thanks.
Have been using VisualRoute 2010 for years to help with our remote equipment installations.  In general it is helpful and can usually give me enough info to take the troubleshooting to the next step.  However, it appears that it has not been upgraded or improved in ages.  

And while it is useful, having more tools that can drill down further into latency or bad hops, etc., would be a welcomed advancement.  And I also have heard that the way it handles some situations causes it to read things as dropped packets when that is not the case.

QUESTION:  So does anyone know of a good tool that has the easy UI of VisualRoute that is more up to date and refined and powerful?  

Any help is much appreciated.  A small portion of my work relates to tracking down non functional remote equipment but it is that part of the job that is most stressful and least enjoyable.

We have a website that needs to be access by staff.  We have checked our Meraki firewall logs and also the Cisco Umbrella content filters to make sure nothing is being blocked, but the site is still inaccessible.  I ran a Wireshark capture and just see conintuous TCP Retransmission entries.  I am not familiar enough with Wireshark to analyze the capture and also running out of ideas on how to get this to work.

Any suggestions?

Wireshark Screenshot
We have Kiosk systems running either Windows 7 or Windows 10 IOT. These systems are running a kiosk application in full screen mode. Using our RMM software (Kaseya), we would like to be able to scan the network traffic for a little while as a test to see if the data is encrypted or not. We would like to use something like Wireshark monitoring the loopback adapter, but it would be great if we could do it non-obtrusively (through the remote shell) so we don't need to take the system out of service. My understanding with Wireshark is I have to have WinPcap installed.

I have two questions:

1. If using Wireshark, can I install remotely & silently? Same with WinPcap?
2. If not, are there any other ways to get a small data dump using a remote shell? Other alternatives to Wireshark?
We provide IT to a fairly large car dealership. For the past several months they've had the internet slow to a crawl. They pay for 40/40mbs. During the slow down they'll see speedtests of .2-1mb down and 30up. These slow downs are not everyday. And when they happen, it's first thing in the morning. Usually 8am - 1030am and then it just goes back to normal.

We've talked multiple times with the ISP. They say it's not on their end. They have sent us a screenshot showing our network is saturated but no details as to what could be causing it.

We have a sonicwall in place and have recently purchased Bandwidth Monitoring. I've been able to check slow downs twice with the BWM. The top initiators change almost every time i refresh. They are all devices or workstations. Not seeing any servers or a single workstation as the top "bandwidth hog." The top Application in the app flow is "General HTTPS".

We've been able to use the IPs to nslookup the workstations and run some anti-malware, check browsing history. Some have needed malware/PUPs cleaned up but nothing has ultimately resolved the issue. We're running out of things to look for and try. Just looking for tools, suggestions, more tests to try and track this issue down.
We have many network monitor tools which have lots information, please see the following:
1.) Opmanage : monitor switches, servers.
2.) Exinda: monitor network traffic on different networks.
3.) Cisco Prime: monitor mainly wireless network.
4.) Cisco ISE: monitor users authentication process.
5.) Barracuda Cloud control: email alignment with SPF and DKim and DMarc  alignment
6.) PPT: report of email spam, phishing and virus.
7.) AV SIEM solution: report of abnormal/malicious network traffic detection.

We would like to consolidate all the high level graphic/charts/data info from above seven monitor systems into one system displaying on a single big screen (or two ~three screen, displaying each screen with 5~10 seconds in turn) with live dynamic updated data/info, which would be on the wall outside our IT department.

We approached Splunk for a solution 2~3 years ago, it can be done but very expensive: we talking about $200k-ish, which we would never be able to get it approved by senior MGMT.

My questions are:

1.) Has anyone done this before?
2.) What is the best approach for this consolidated high level info/data on one system?
3.) How to achieve this? and what is the cost?

Any information and help would be much appreciated.


I have a very strange issue.  I have 2 juniper switches that can ping each other's gateway addresses fine, I can ping from in both directions from both sites core switches, so there is no routing issue.,see below.

However I cant ping server to server with the "source:" and "destination:".

Yet I can ping in one direction successfully from core switch to server successfully, just not the other way around??? What i am missing???

Source: (Core Switch) (FAILS)

PING ( 56 data bytes
--- ping statistics ---
10 packets transmitted, 0 packets received, 100% packet loss

Open in new window

Source: (Core Switch) (SUCCESSFUL)

PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=64 time=25.254 ms
64 bytes from icmp_seq=1 ttl=64 time=5.509 ms
64 bytes from icmp_seq=2 ttl=64 time=5.921 ms
64 bytes from icmp_seq=3 ttl=64 time=5.797 ms
64 bytes from icmp_seq=4 ttl=64 time=8.691 ms
64 bytes from icmp_seq=5 ttl=64 time=7.270 ms
64 bytes from icmp_seq=6 ttl=64 time=5.838 ms
64 bytes from icmp_seq=7 ttl=64 time=8.442 ms
64 bytes from icmp_seq=8 ttl=64 time=6.217 ms
64 bytes from icmp_seq=9 ttl=64 time=8.369 ms
--- …

I am running Debian 9 on Server 2012 R2 Hyper-V. The scnario is that I have 2 physical servers each with a Debian virtual machine.

A) Setup Hyper-v for mirroring

1) The goal is to capture packets so Hyper-v on both is set in monitoring mode.

2) Once the "Destination" settings under the virtual machine network adapter for mirroring is set in the Hyper-v configuration.
I immediately notice that the physical network interface on the server (for the Hyper-v virtual switch) starts increasing rapidly say 70 Mb/s ON BOTH Servers...
 this is good it means that the Hyper-v settings are sane (and of course the Network Configuration on the switch is perfect).

B) Setup Debian for promiscuous mode

1) Here I use:

allow-hotplug eth1
               iface eth1 inet manual
               up ifconfig eth1 promisc up
              down ifconfig eth1 promisc down

Open in new window

and verify with ifconfig as shown below

Debian VM1 on Server1
        ether 00:15:5d:15:16:17  txqueuelen 1000  (Ethernet)
        RX packets 5090918  bytes 3090553169 (2.8 GiB)
        RX errors 0  dropped 6  overruns 0  frame 0
        TX packets 89  bytes 7638 (7.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Debian VM2 on Server2
        ether 00:15:5d:15:16:17  txqueuelen 1000  (Ethernet)
        RX packets 42094  

Open in new window

Starting with Angular 5
LVL 19
Starting with Angular 5

Learn the essential features and functions of the popular JavaScript framework for building mobile, desktop and web applications.

We get calls from people who cannot get to a website, say  The cursor will just spin and the request will time out.  This happens intermittently.  We called level 2 support, and they claim that the requests are not hitting their gateway, but I am not sure this is the case.  I'd like to provide some hard data to level 2 support with a tool like wireshark, but I don't know how to interpret wireshark.

Is there a tool that is a bit simpler than wireshark that can tell me where exactly where the hold up is?  I have looked at a tool called DNSQuerySniffer, but it looks like it stops at my internal DNS server.  I have also tried a simple tracert, but tracert hops timeout on sites that are working, so they are not reliable.  

We do have company internet filters in place (fortinet), but they are managed at level 2 so I don't have access to their logs.  I am also told that there are a few old DNS server records in my forward lookup zones, but they have been there long before this problem began.  

Thank you!!
Hi Guys,
I observed big amount of no buffer drops on my interface facing internet, on my C2911 Router, howerver, I don't see any failed or a lot of missed packets in the buffer counters.
What could be the reason for it?

MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 42/255, rxload 122/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full Duplex, 100Mbps, media type is RJ45
  output flow-control is unsupported, input flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:03, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/76 (size/max/drops/flushes); Total output drops: 3631582
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 48118000 bits/sec, 6878 packets/sec
  5 minute output rate 16759000 bits/sec, 3252 packets/sec
     4022440271 packets input, 4092734377 bytes, 3631387 no buffer
     Received 6062 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     592 input errors, 0 CRC, 0 frame, 592 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     1319074480 packets output, 2459248571 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     1 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped …
how reduce Lsass.exe bandwidth traffic because it is very high and take a lot  of internet connection bandwidth?

I’m hoping to get some ideas on this one. I’m having some intermittent latency and sometimes dropouts on the network, which consists of mostly Cisco SX300 switches.

When the latency or dropout happens, the CPU utilisation of the core SG300 Switch would be over 40%. I have been told the issue is caused by spanning tree and turning global spanning tree off on the core switch does help, however, I think it is not the spanning tree or it is more that just the spanning tree.

What other things could I look into in finding the cause?

Any help appreciated!

Cannot install the NDIS Capture Service on my NIC.
It states: "Could not add the requested feature.  The error is: This program is blocked by group policy.  For more info, contact your system adminstrator"

I am the system administrator.  There is not a GPO configured to block this installation.
I've looked for parameters in:
Computer Configuration | Administrative Templates | System | Removable Storage Access
Computer Configuration | Administrative Templates | System | Device Installation | Device Installation Restriction
I've run RSOP and there are no settings to this effect.

There are no settings inside either of these.

I've also checked local security and local group policy - there is also nothing defined there.

Anyone have any ideas?

Windows 10 pro, 17134.285

I've uninstalled Webroot Secure Anywhere thinking that might be the problem - no change
Port 5083 : Qpur File Protocol
Can somebody tell me for what purpose is this service used for?
I need to do an Enterprise Architecture maturity assessment using TOGAF framework. Can anyone who has done something similar give me guidance on best way to approach this.
Over all approach
Red flag points
Action points

Thank you for your help.

Hi... Can anyone tell me what is this Simple Network Audio Protocol running on port 4752 ? Thanks
I have 10mbps links between my locations and we have been experiencing network latency, primarily in the afternoons. I contacted my ISP and they were rather tight-lipped about what traffic was causing the problem. It took 8 months, countless tickets, and repeated threats to finally get the small amount of information that I have- that the primary network congestion is being caused by 4 domain controllers communicating with a domain controller in the hub of our network. I have modified the link costing and replication schedules and am pulling utilization reports tomorrow. I am going to run a packet capture with Wireshark. It is going to run from a desktop computer connected to a port that monitors the MPLS pot and filter by IP address for each of the DC’s communicating back to the hub. What should I look for in the capture that might indicate the source of what is flooding the network?
Amazon Web Services
LVL 19
Amazon Web Services

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

Dear Experts, I'm testing the SPAN feature in Switch Cisco 3750. This is the diagram:

This is configuration on Core SW:

monitor session 1 source vlan 55 both
monitor session 1 destination interface g1/0/13

Open in new window

It seems like working but the whole vlan 18 was hang, so I could NOT access the PC which was installed wireshark. How can I fix it? Can we just mirror traffic from some IP addresses, not all VLAN?

Many thanks as always!
Dear experts,

I am new to the DNS and DNS load test. Now i have task to test Load Test on two BIND9 servers [RHEL6]. I had googled it and i found dnspref is good tool to evaluate throughput and latency. However, I need a script to do this task. I will be very helpful for me if any one share the info.

As you can see from the attached diagram, site2 communicates with site1 via the pt-to-pt link as the primary. The MPLS is the backup link.

To get to the public server, site2 is going through site1. core1 redistribute static via EIGRP. and site2 learns the DG via EIGRP.

What I'd like to do is to reroute the DG  of site2 to FW2 when or fails. How would I go by accomplish this? Thanks


i configured OSPF between cisco ASR and Juniper router (service Provider).

OSPF neighbour has formed and exchange routes.

but ASR is logging a message " Cannot see ourself in hello from <juniper router id>, state INIT"

This is not happening all the time. its happening randomly once or twic a week. Mostly happening duing the peak hours of the business (but traffic is not hitting the maxium BW).

Due to this i can see some of the remote sites having high latency connecting to the DC for 2 -3 min and then when OSPF is normal the high latency is goiing away.

Not sure why the OSPF is flapping. Any particular config i need to add between juniper and Cisco ASR to Work.

I need to capture TCP/UDP packets to and from an Azure VM that is in production. I can not put Wireshark on this VM that is in production What can I do?  We do own that Azure VM.  We are trying to analyze why there is loss information between the VM and our hardware device.
I have 3 WS-C3550-48-SMI and they are connected to each other via 1000BaseCX Gigastack. But they are only half-duplex. My users are experiencing slow response. Could it be because of those trunks with half-duplex?

sh int status
Port      Name                      Status           Vlan       Duplex      Speed      Type
Gi0/1     Switch A & C       connected    trunk      a-half        a-1000      1000BaseCX Gigastack

Network Analysis





Network analysis is the process of identifying and remediating the processes and systems within a network, including performance, connectivity and security. The process is performed through the use of tools developed for monitoring and analyzing network activity. Network problems that involve finding an optimal way of doing something are studied under the name combinatorial optimization. Examples include network flow, shortest path problem, transport problem, transshipment problem, location problem, matching problem, assignment problem, packing problem, routing problem, Critical Path Analysis and PERT (Program Evaluation & Review Technique).