Network analysis Using Wireshark Lesson 12 By the end of this lesson, the participant will be able to: ▫ Perform bandwidth and throughput tests ▫ Measure applications throughput ▫ Understand the impact of delay and jitter on network applications

1. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage1
Network analysis Using Wireshark
Lesson 12:
Bandwidth, Delay & Jitter Issues

2. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 2
• By the end of this lesson, the participant will be able to:
▫ Perform bandwidth and throughput tests
▫ Measure applications throughput
▫ Understand the impact of delay and jitter on network applications
Lesson Objectives

3. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 3
yoram@ndi-com.com
For More lectures, Courses & Keynote Speaking
Contact Me to:

4. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage4
Measuring total bandwidth on a communication link
Packet loss and recovery - UDP and TCP
Previous segment lost and Out-of-Order Segments events
Duplicate ACKs and Fast Retransmissions
TCP Retransmissions and their impact on network performance
Delay/jitter influence on TCP behaviour
Zero window, Window changes and other window problems
Chapter Content
“Discipline is the bridge between goals
and accomplishment.”
Jim Rohn

5. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 5
• How to measure bandwidth / throughput
▫ Per Line/Port
▫ Per user
▫ Per connection
The Problem – Who is Loading the Line
Line/Port
User
Connection

6. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 6
• Tools to be used:
▫ Wireshark with Port mirror to port under test
▫ SNMP software monitoring Switch/Router
• Wireshark tool:
▫ Statistics tools
▫ IO Graphs
Line/Port Bandwidth Measurement

7. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 7
What Is the Bandwidth Distribution

8. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 8
Measuring total bandwidth on a communication link
Packet loss and recovery - UDP and TCP
Previous segment lost and Out-of-Order Segments events
Duplicate ACKs and Fast Retransmissions
TCP Retransmissions and their impact on network performance
Delay/jitter influence on TCP behaviour
Zero window, Window changes and other window problems
Chapter Content
“Live as if you were to die tomorrow.
Learn as if you were to live forever.”
― Mahatma Gandhi

9. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 9
Per Network / Session Filtering
• In UDP
▫ Lost packets are not recovered
▫ In some cases, the protocol recovers them
• In TCP
▫ A lost packet will be retransmitted but..
▫ Retransmission can be due to packet loss or:
 Slow client or server
 Delays on the line

10. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 10
• Ping the destination (-t)
▫ If we don’t get some replies – increase time wait with –w option
▫ For example: ping –t –w 5000 8.8.8.8
• Check in communications devices and look for CS/CRC errors
▫ Errors: cause the switch/router to drop packets
▫ CPU load: cause switch/router to delay and then drop packets
▫ Traffic policing and WRED: can cause packet losses
• Check capture file:
▫ TCP Retransmissions
▫ Applications that runs over UDP send packets repeatatly
Indications for Packet Losses

11. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 11
Ethernet Frame Losses
First indication
– the Expert
System
Example
12-1

12. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 12
Digging in gives us…
Example
12-1

13. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 13
Exercise 12-2:
Errors and their influence on thrughput
• In the attached file (Exercise 12-1), were does the
errors come from?
• Are they critical? Are they real?
• What can they cause?

14. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 14
• Response to a packet loss is retransmission.
• Retransmission can be due to:
▫ Packet loss
▫ Line delay
▫ Slow end-devices
• We verify a packet loss by elimination:
▫ If it is low and stable delay and ..
▫ There are no TCP window issues and ..
▫ Then it might be packet losses
▫ Go and check network devices
TCP – Is it a Packet Loss?

15. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 15
• IP Identification field (ID) is used to identify the packet,
especially for the case of fragmentation.
• ID can be implemented as (depends on the TCP/IP stack,
RFC 4413):
▫ Sequential jump
▫ Random
▫ Sequential
• In the case of sequential or sequential-jump it gives us
another indication for lost packets.
Another Method..
Looking at the IP Packets IDs
Sequential jump

16. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 16
Measuring total bandwidth on a communication link
Packet loss and recovery - UDP and TCP
Previous segment lost and Out-of-Order Segments events
Duplicate ACKs and Fast Retransmissions
TCP Retransmissions and their impact on network performance
Delay/jitter influence on TCP behaviour
Zero window, Window changes and other window problems
Chapter Content
“Success is not final, failure is not fatal: it is
the courage to continue that counts.”
― Winston S. Churchill

17. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 17
Previous segment lost and
Out-of-Order Segments events
Example
12-2

18. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 18
Chapter Content
Measuring total bandwidth on a communication link
Packet loss and recovery - UDP and TCP
Previous segment lost and Out-of-Order Segments events
Duplicate ACKs and Fast Retransmissions
TCP Retransmissions and their impact on network performance
Delay/jitter influence on TCP behaviour
Zero window, Window changes and other window problems
“Live as if you were to die tomorrow.
Learn as if you were to live forever.”
― Mahatma Gandhi

19. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 19
Duplicate ACKs and Fast Retransmissions
Example 12-3
• Duplicate ACKs are sent when the receiver sees a gap in the
packets it receives.
• Fast retransmissions use a counter for duplicate ACKs to trigger
a retransmission faster than by Retransmission TimeOut (RTO).

20. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 20
What happened?
Example
12-3
• We look at the TCP window
size (in the transfer
direction)
▫ No significant changes so..
▫ It is OK
• We look at the TCP
throughput graph (in the
transfer direction)
▫ There are strong
degradations during 3 time
periods
▫ Something is wrong

21. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 21
• Looks like:
▫ There are no delay variations
▫ No TCP window changes
▫ Degradation in performance is inspected
• Looks like some packet losses
• But:
▫ It is a connection to a server on the Internet
▫ Some packet losses can happen
• And when we look at the IO graph for this connection…
And the answer is….

22. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 22
Oooops…

23. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 23
Delay/Jitter and TCP

24. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 24
Exercise 12-3:
Duplicate ACKs influence on throughput
• In the attached file (Exercise 12-3), what can be the
reason for the DupAKCs?
• What is the meaning of the red lines in the TCP Stream
Graphs (tcptrace) graph?
• What can be the reason for so many DupACKs?

25. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 25
Chapter Content
Measuring total bandwidth on a communication link
Packet loss and recovery - UDP and TCP
Previous segment lost and Out-of-Order Segments events
Duplicate ACKs and Fast Retransmissions
TCP Retransmissions and their impact on network performance
Delay/jitter influence on TCP behaviour
Zero window, Window changes and other window problems
“Courage is what it takes to stand up and
speak; courage is also what it takes to sit
down and listen.”
Winston Churchill

26. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 26
Flow & Congestion Control - Reminder
• Flow control:
▫ Controls the amount of data sent
by the sender.
▫ Achieved by a "window”
mechanism
• Congestion control:
▫ Try to get to the maximum
throughput of the
communication line
time
CWND
Min = MSS
MAX = RWINRetransmission Retransmission Retransmission

27. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 27
Exercise 12-4:
Network traffic
• In the attached file (Exercise 12-3), the network
becomes very slow. What is the reason for it?
• What is the bandwidth of the Internet connection?

28. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 28
Chapter Content
Measuring total bandwidth on a communication link
Packet loss and recovery - UDP and TCP
Previous segment lost and Out-of-Order Segments events
Duplicate ACKs and Fast Retransmissions
TCP Retransmissions and their impact on network performance
Delay/jitter influence on TCP behaviour
Zero window, Window changes and other window problems
“Live as if you were to die tomorrow.
Learn as if you were to live forever.”
― Mahatma Gandhi

29. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 29
FTP Download over Slow Cellular Link
Example
12-4

30. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 30
FTP Download over Slow Cellular Link

31. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 31
Chapter Content
Measuring total bandwidth on a communication link
Packet loss and recovery - UDP and TCP
Previous segment lost and Out-of-Order Segments events
Duplicate ACKs and Fast Retransmissions
TCP Retransmissions and their impact on network performance
Delay/jitter influence on TCP behaviour
Zero window, Window changes and other window problems
“The best argument against democracy is
a five-minute conversation with the
average voter.”
Winston Churchill

32. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 32
Exercise #5:
Zero Window influence on throughput
• In the attached file (Exercise 12-5), what is the reason
for the network slow-down in shown?
• What is the problem?

33. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 33
Summary
• In this lesson we talked about:
▫ How to measure network bandwidth and applications throughput
with Wireshark
▫ How to measure delay and jitter, and their influence on
applications performance

34. Network Analysis Using Wireshark Version 2Network Analysis using Wireshark V.2 yoram@ndi-com.com
Network analysis using Wireshark V2 yoram@ndi-com.comPage 34
yoram@ndi-com.com
For More lectures, Courses & Keynote Speaking
Contact Me to: