Ask Your Question
0

How to determine reasons for slow Internet/network performance

asked 2020-05-15 10:36:40 +0000

balcee gravatar image

Hi team

I hope someone is able to help me out with a problem that's beginning to generate more and more noise.

We have an office in Hong Kong. Internet traffic goes out via a local Bluecoat proxy and out through local Internet breakout. For the past 7 days, they are reporting that Internet has been very slow between the hours of 2pm-6pm HK time - that's 7am-11am UK time.

I've checked with the ISP and carried out thorough checks on the Bluecoat and everthing appears to be ok. I downloaded some packet captures from the Bluecoat itself but cannot see anything obvious (I'm fairly new to Wireshark). Would you be kind enough to have a look through and see if there's any clue as to what may be causing these issues please?

Many thanks in advance.

B

edit retag flag offensive close merge delete

Comments

Capture can be found here: https://www.dropbox.com/s/tbzdkyb19zk...

balcee gravatar imagebalcee ( 2020-05-15 10:39:50 +0000 )edit

Is that going through a web proxy?
If so, have you check the logs/statistics on it?

Chuckc gravatar imageChuckc ( 2020-05-15 15:37:23 +0000 )edit

The responses from 10.0.88.100 (Bluecoat proxy?) to HTTP requests are very slow (up to 25 seconds). Everything else like the 3-way-handshake and TLS communication is fast and looks fine.

Have you checked the availability and the response time of the DNS resolvers that are configured in the Bluecoat settings during the issue?

JasMan gravatar imageJasMan ( 2020-05-15 15:47:29 +0000 )edit

Many thanks for your replies. I will check the DNS server now but then also early Monday morning as that's when the issue is likely to occur. Many thanks for your opinions. Hopefully I will have good news on Monday. By the way JasMan, yes the Bluecoat proxy is 10.0.88.100.

balcee gravatar imagebalcee ( 2020-05-15 17:34:37 +0000 )edit

Hi guys. I'm looking at performance issues again. Below is the link to the packet capture, filtered just on the DNS server 10.88.20.200 - do you see anything suspect in here?

https://www.dropbox.com/s/smrdc8252aa...

I'm still seeing very slow Internet performance so I've asked the server guys to log on to the server and check there's nothing wrong from a hardware/memory perspective.

balcee gravatar imagebalcee ( 2020-05-18 06:49:50 +0000 )edit

The Dropbox link doesn't work for me. 404.

JasMan gravatar imageJasMan ( 2020-05-18 09:04:19 +0000 )edit

Hi JasMan, that's strange. Sorry about that, can you try this one please?

https://www.dropbox.com/s/3mk9a4w98c7...

This capture was done around an hour ago and is unfiltered https://www.dropbox.com/s/shh4dgd4803...

balcee gravatar imagebalcee ( 2020-05-18 17:09:19 +0000 )edit

@balcee: DNS looks fine. Some querys need up to 5 seconds, but far away from the HTTP response times that I saw in your first capture.

The second capture contains only some multicasts from your phones (I guess), but nothing from/to the Internet.

Is there a way to capture the complete traffic of the Bluecoat proxy, so that we can see the HTTP querys from the client, the DNS request and the WAN traffic also? Of course during the time were the issue occures.

JasMan gravatar imageJasMan ( 2020-05-18 19:00:38 +0000 )edit

Ok many thanks. I will pull down another capture tomorrow morning. I'm running the packet capture from the built in tool on the Bluecoat. The filter I'm setting is ip host 10.0.88.100 - is this ok or is it better doing an unfiltered capture?

If possible, I will also do a capture from a client on the same network.

Thanks for your help on this. Hopefully, we'll get to the bottom of it soon... :)

balcee gravatar imagebalcee ( 2020-05-18 20:32:53 +0000 )edit

Let us try an unfiltered capture to be sure, that we will see everything that's going on at this part of the network.

JasMan gravatar imageJasMan ( 2020-05-19 05:44:55 +0000 )edit

@JasMan

More captures here: https://www.dropbox.com/s/2mngq0dux6e...

The slowness is happening right now, these captures were recorded in hte last 30-45 minutes. Key info:

Bluecoat Proxy: 10.0.88.100 Domain Controller: 10.88.20.200

balcee gravatar imagebalcee ( 2020-05-19 08:33:36 +0000 )edit
see more comments

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-05-19 11:37:44 +0000

JasMan gravatar image

Hey @balcee, Thank you for the captures. Due to the fact that the delay tooks mostly about 15-25 seconds, and the capture itself contains only 20 seconds of traffic, it was a little bit difficult to find a conversation, which outbound (WAN) and inbound (LAN) traffic is included in the capture. But I've found one :)

The file HK_Bluecoat_190520_0845.cap contains a HTTP request from the client 10.88.129.242 for www.gstatic.com in TCP stream 399. The proxy receives the request and ACKs it immediatly. But it tooks about 17 seconds until the client receives the HTTP response from the proxy.

When we look onto the WAN side, we will find the outgoing traffic for www.gstatic.com in TCP stream 1950. Due to the frame time it was send out 17 seconds later as the request was received on the LAN side. The HTTP response from gstatic.com comes immediatly, so the WAN line is not the issue here. The frame time of the external HTTP response from gstatic.com is nearly the same, as the frame time of the internal HTTP response that the client 10.88.129.242 receives from the proxy. That means the way back is also fine.

The captures of the DNS traffic are from another time range, so I was not able to find the matching DNS request for this connection. But all DNS responses are more or less fast, so I don't think that this is the cause for the delays.

In my opinion the Bluecoat proxy is the cause, because he delayed the outgoing request for unknown reason. I recommend to check the logs again. There must be a hint why the proxy delayed the outgoing request.

edit flag offensive delete link more

Comments

Wow, that is amazing. I would never have seen that! I'm looking at 399 but cannot see www.gstatic.com - where would I see that?

I will run further logs. Are there any specific filters that could help?

balcee gravatar imagebalcee ( 2020-05-19 12:02:29 +0000 )edit

You can see the requested URL in the details of the packet, or by adding a colume "http.host or tls.handshake.extensions_server_name".

If possible I would search in the logs for the named request from 10.88.129.242.

I've found another hint: right after the proxy received the query from the client, he tries to connect to 165.160.13.20 and 165.160.15.20 without success (only SYN, no SYN/ACK). The queries fit in the timerange of the delay. Maybe coincidence, or maybe a Bluecoat server for further checks.

JasMan gravatar imageJasMan ( 2020-05-19 12:28:05 +0000 )edit

165 address is interesting. Ok thanks, I will go back and investigate further. This is our Hong Kong office so I will have to wait another 10 hours before users are back in the office. Thank you

balcee gravatar imagebalcee ( 2020-05-19 12:39:43 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2020-05-15 10:36:40 +0000

Seen: 2,334 times

Last updated: May 19 '20

Related questions

What I need to do to capture outgoing packets from the computer that using proxy?

Client - Corporate Proxy connection to Microsoft outlook, additional HTTP/1.1 packet before TLS channel established

Sniffing stealmylogin.com

unable to capture packets on Wireshark

Wireshark and proxy not playing well together?

Ping from cmd is successful but can't access website from browser without the use of VPN help [closed]

Proxy closes connection, not server/client. Why?

Can I explore wireshark from outside my network through a reverse proxy?

Fail to decrypt proxied/tunneled TLS traffic?