This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Slow download speed

0

We are facing slow download speed issue with one of our server .

Running trace from client PC shows below output.

Could someone please help identify cause of this slow download speed.

10.225.0.10 is IP of client.

192.168.1.10 IP of Server

72  0.131254000 0.000000000 10.225.0.10 192.168.1.10    TCP 66  64104 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1
73  0.000001000 0.000000000 10.225.0.10 192.168.1.10    TCP 66  64103 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1
74  0.126430000 0.126431000 192.168.1.10    10.225.0.10 TCP 66  http > 64104 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1 WS=4
75  0.000001000 0.126431000 192.168.1.10    10.225.0.10 TCP 66  http > 64103 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1 WS=4
76  0.000313000 0.000314000 10.225.0.10 192.168.1.10    TCP 54  64104 > http [ACK] Seq=1 Ack=1 Win=65700 Len=0
77  0.000009000 0.000322000 10.225.0.10 192.168.1.10    TCP 54  64103 > http [ACK] Seq=1 Ack=1 Win=65700 Len=0
78  0.000415000 0.000424000 10.225.0.10 192.168.1.10    HTTP    1035    GET / HTTP/1.1 
79  0.000373000 0.000373000 192.168.1.10    10.225.0.10 TCP 60  http > 64104 [ACK] Seq=1 Ack=982 Win=7804 Len=0
80  0.276084000 0.276084000 192.168.1.10    10.225.0.10 HTTP    469 HTTP/1.1 302 Redirect  (text/html)
81  0.000554000 0.277426000 10.225.0.10 192.168.1.10    HTTP    1041    GET /abc prod HTTP/1.1 
82  0.000320000 0.000320000 192.168.1.10    10.225.0.10 TCP 60  http > 64103 [ACK] Seq=1 Ack=988 Win=7816 Len=0
84  0.029194000 0.131834000 192.168.1.10    10.225.0.10 TCP 1514    [TCP segment of a reassembled PDU]
85  0.000002000 0.000002000 192.168.1.10    10.225.0.10 TCP 1514    [TCP segment of a reassembled PDU]
86  0.000146000 0.000146000 10.225.0.10 192.168.1.10    TCP 54  64103 > http [ACK] Seq=988 Ack=2921 Win=65700 Len=0
89  0.000002000 0.000002000 192.168.1.10    10.225.0.10 HTTP    793 HTTP/1.1 401 Unauthorized  (text/html)

asked 07 Jun '13, 06:11

m_1607's gravatar image

m_1607
35121316
accept rate: 0%

edited 07 Jun '13, 07:12

grahamb's gravatar image

grahamb ♦
19.8k330206

Could you upload your capture to the following and post the URL? The .pcap file itself is a lot easier for readers to work with typically: http://cloudshark.org/

(07 Jun '13, 06:47) Quadratic

When I reformatted the Question text output, frame 76 had been modified with extra quotes, I removed those, but I'm not entirely sure of the provenance of the text.

(07 Jun '13, 07:14) grahamb ♦

can u please help with this due to sensitivity of data i cannot copy complete trace.

thank for understanding.

(07 Jun '13, 09:09) m_1607

Sorry but there is but nothing inside the snippet you provided to even try helping you with that issue.

(07 Jun '13, 09:37) Landi

OK issue is when downloading files from http we are getting very slow speed.

Could you please help me with things we need to look at in that case.

(07 Jun '13, 09:43) m_1607

For a start, find the reason for the slow transmission like high delta times between data packets, lots of retransmissions, small recieve windows whatever. There must be something in the trace (timing related) that you should be able to find out.

(07 Jun '13, 09:58) Landi

Below 2 packet I see high delta time. 226 0.439848000 7.283610000 10.225.0.10 192.168.1.10 HTTP 5671 GET /abcProd/Contents/Objects/5175B170 HTTP/1.1 7.283610000

233 0.001536000 7.280229000 10.225.0.10 192.168.1.10 HTTP 5698 GET /abcProd/PlugIns/CoreObjects/Shared/Display.aspx?o=5175&t=170 HTTP/1.1 7.280229000

(07 Jun '13, 10:53) m_1607

Seriously, this is not leading to solving your problem - again those two packets posted by you can't be analysed without the rest of the trace. If you really can't post the trace somewhere due to sensitive data I suggest to get external help for this case

(07 Jun '13, 11:36) Landi

if it is about hiding sensitive data, you can use editcap to remove tha http payload so we can at least look it this from a tcp perspective

(07 Jun '13, 13:43) mrEEde2

From the details you're able to provide, all I can really say is that the client is receiving a 401 error (unauthorized) from the web server in packet 89. That doesn't explain slow speeds though.

Other than that, are there timestamps with this trace? Does Wireshark give any warnings/notes under Expert Info which may point to a problem? (click the lower-left circle with the trace loaded into Wireshark)?

I don't think there's really enough information here to diagnose the cause of the proverbial "slow speeds" issue. It's sometimes not possible to completely diagnose the cause even with the .pcap file of the session, let alone find a cause out of the packet summary details.

(07 Jun '13, 17:51) Quadratic

Wish to understand one thing when client request get / webpage page delta time is high, what could be reason for this high delta time when client webpage.

280 0.279926000 4.115363000 10.225.0.10 192.168.1.10 HTTP 5671 GET /abcProd/Contents/Objects/5176B170 HTTP/1.1 4.115363000

425 0.002877000 6.166599000 10.225.0.10 192.168.1.10 HTTP 5712 GET /abcProd/PlugIns/DocumentManager/Shared/Display.aspx?o=34656&t=3 HTTP/1.1 6.166599000

419 0.013246000 6.877795000 10.225.0.10 192.168.1.10 HTTP 5681 GET /abcProd/Contents/Objects/34656B3 HTTP/1.1 6.877795000

(08 Jun '13, 07:05) m_1607
showing 5 of 11 show 6 more comments

One Answer:

0

Without the whole session, the best we can do is guess what could be a reason. Then again, your guess is as good as ours. Well, your guess should be better, as you can look at the data and we can not.

Well, here goes my guesses:

  • The client could be overloaded and is not able to keep up and therefor has a large delay between requests
  • The server is not serving pages quickly
  • The transfers are slow because of bad window scaling
  • The transfers are slow because of nagle-delayed ack problems
  • The transfers are slow because of packet loss
  • The transfers are slow because of a full moon ;-)

Really, this is the 4th question you asked relating to slow downloads and you expect us to help you, but you can't provide us with the info we need to be able to help us. COuld you please create a capture file without the payload and if necessary with the IP addresses randomized and upload it to www.cloudshark.org?

Here is how you can do this on a linux box:

tcprewrite -s 5234525  -i <input file> -o - | editcap -s 80 - <output file>

(tcprewrite is part of tcpreplay and editcap comes with wireshark)

answered 08 Jun '13, 08:46

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks SYN-bit , just wish to understand below point.

Wish to understand one thing when client request get / webpage page delta time is high, what could be reason for this high delta time when client webpage.

280 0.279926000 4.115363000 10.225.0.10 192.168.1.10 HTTP 5671 GET /abcProd/Contents/Objects/5176B170 HTTP/1.1 4.115363000

425 0.002877000 6.166599000 10.225.0.10 192.168.1.10 HTTP 5712 GET /abcProd/PlugIns/DocumentManager/Shared/Display.aspx?o=34656&t=3 HTTP/1.1 6.166599000

419 0.013246000 6.877795000 10.225.0.10 192.168.1.10 HTTP 5681 GET /abcProd/Contents/Objects/34656B3 HTTP/1.1 6.877795000

(08 Jun '13, 22:10) m_1607

(I did see your previous update and converted it to a comment to the question. I also converted your last "answer" to a comment to my answer. Please see the FAQ for details on how this site works best.)

My answer was pointed at your previous update in which you asked for the reason for the large intervals between requests. To understand the large delay, one needs to look at the packets in between. So without being able to look at those packets (at least the IP and TCP layers of those packets) there is not really much we can do for you in pinpointing the source of the delays.

(08 Jun '13, 23:33) SYN-bit ♦♦