Ask Your Question
0

Periodic Loss of Network Connectivity

asked 2023-03-29 14:28:16 +0000

I’m new to wireshark and a novice when it comes to network analysis. My main job is software development, but in my company the IT staff wear many hats. Please forgive me if this is not the correct forum to post this.

Over the past four months we’ve been experiencing periodic, but complete loss of network connectivity. It is random. It will last anywhere from one minute to 10+ minutes. Then all will clear up as if nothing was wrong. I’ve suspected a packet storm caused by a bad device, but just can’t find it because there isn’t enough time when it does occur to find the offending device. I’ve reviewed the switch logs to see if there is one device that is showing a large amount of traffic at a particular point in time, but nothing jumps out. Or, maybe there is just so much traffic during the work day the switches and/or servers just can’t keep up.

What I’d like to do is monitor traffic for 24 hour to see if the problem is occurring after work hours, when no one is in the building. If it does occur during off hours then that it’s not necessarily a capacity problem with the switches or servers, and maybe therefore there is a failing device. If there aren’t any dropouts (for lack of a better term) during off hours, then I guess that points to something else, although there still could be a misbehaving device that someone turns on when they get to work.

I’m thinking of setting up a continuous ping either to one of the domain controllers or firewall. Can Wireshark be setup to report a period of long latency that last for more than a say 30 seconds? Or can it capture the ping traffic then I’ll analyze the next day by looking for a delay or loss? Does this make sense to proceed that way?

edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted
0

answered 2023-03-31 19:23:23 +0000

updated 2023-03-31 19:30:00 +0000

If you decide to try capturing ICMP then Wireshark can be used to analyze the response times or check for missing replies.

You can use an ICMP display filter to show response time over a certain threshold like 10 ms for example.

icmp.resptime > 10

You can also add a column showing the ICMP response time by expanding the Internet Control Message Protocol section in the Packet Details pane, find the icmp.resptime field and right-click to "Apply as Column." (You can then sort using that column.)

If you click on the Expert Information circle (usually bottom left of screen) you may see if you have warnings about "Response not found" for protocol ICMP.

If you are using Wireshark to capture the traffic then you may want to use a capture filter to only capture ICMP packets and keep the file size smaller.

icmp should do the trick.

Good luck.

edit flag offensive delete link more
0

answered 2023-03-30 08:37:30 +0000

BigFatCat gravatar image

I use Wireshark when I have a general idea of what I am looking for. I believe a network performance software is a better solution for your problem. There are many on the Internet, and I'd rather first install a trial version. When the network slows down, it can identify the hogs, and any network failure. If the logs show nothing, I would use WireShark captures to prove the problem exists.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-03-29 14:28:16 +0000

Seen: 520 times

Last updated: Mar 31 '23