Ask Your Question

Need help analyzing Wireshark captures

asked 2020-02-28 21:07:05 +0000

rmsdip3 gravatar image

I have a couple captures I need some assistance reading them and deciding where to start looking to fix my issue.. I have a site that runs an application and during the normal process it takes around 5 seconds to complete transaction. When the main connection to Corporate goes down my time jumps to 2 minutes to complete and other sites only increase to 25 seconds.. There are 3 servers involved in which 1 is at Corp and is where the app server posts data. So I access Server 1 through webpage (Local onsite). Server 1 is a proxy passes the traffic the an sql app server (Local Onsite) where the app runs the transactions. The app server posts final transaction to server 3 (Offsite Corp) when complete.. There is a 20 seconds (25 seconds expected total) def app timeout built in for the SQL server to post to Server 3. Can anyone assist in pointing me in some filters, etc guide me where to look and find the possible cause of the extra 1.5-2 minutes in time for transactions..

Thanks in Advance

edit retag flag offensive close merge delete


Can you anonymize one of the captures, upload to a public file sharing site and post a link to it here?

Chuckc gravatar imageChuckc ( 2020-02-28 21:26:52 +0000 )edit

This is my first capture.. How do I anonymize it?


rmsdip3 gravatar imagermsdip3 ( 2020-02-29 21:55:23 +0000 )edit

Trace Wrangler ( is one way.

SF18US - 13: Practical Tracewrangling (Jasper Bongertz)

Chuckc gravatar imageChuckc ( 2020-03-01 05:23:40 +0000 )edit

I have uploaded the files to the following.. I have included 4 files.. 2 from the client side and 2 from the Switch attached to the server side.. Normal operation and during our so called outage.. Thanks for any insight

rmsdip3 gravatar imagermsdip3 ( 2020-03-02 16:11:45 +0000 )edit

Anyone? Thanks again.. Any help appreciated

rmsdip3 gravatar imagermsdip3 ( 2020-03-06 12:09:52 +0000 )edit

1 Answer

Sort by » oldest newest most voted

answered 2020-03-06 14:45:03 +0000

Jasper gravatar image

updated 2020-03-06 14:45:58 +0000

It's a little hard to say without knowing exactly what is going, but what I find interesting is that if you look at the conversations that happen on TCP port 85 you can see that one side ( is sending data that gets acknowledged (usually a 54 byte packet from, but then it takes at least 1 second to send the answer back each time (easy to find by looking for the TCP push flag, also from - in case of the bad connection i've seen up to 19 seconds delay between the ACK and the PSH ACK.

It looks to me like the application processing time on is really not that good (= performing well). From my gut feeling it looks more like a delay on that node than a network problem. Also, seeing TCP Keep-Alive packets is an indicator one node is waiting for the other.

To further investigate the non-anonymized packets I'd recommend you isolate the TCP conversations one by one (either via right click -> Conversation Filter -> TCP, or via Statistics -> Conversations -> right click). You should add a column "Delta Time Displayed" to your setup (unless you already have it, of course) and track where the delays are for each TCP connection.

image description

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-02-28 21:07:05 +0000

Seen: 327 times

Last updated: Mar 06 '20