This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Alerts in the capture

0

I have a capture of a website called www.mir3.com And the users are complaining that the application Is running slow, in the capture i see a lot of application alerts and Encryptions alerts.

Can someone shed some light on this issue for me please, can that application TTL (ALERTS) cause a website perform poorly? T Users are used to 12s second delay, now they say it takes about I 15-20sec to go from one page to another or simply to open a page.

I have a provide a copy or the www.mir3.com capture if that will help thanks in advance

https://www.cloudshark.org/captures/040e6dbaeddc

asked 27 Feb '14, 20:34

ejohnson7's gravatar image

ejohnson7
119912
accept rate: 0%

2 Answers:

1

There are two flavours of TLS alerts in this trace.

  • Alert (Level: Warning, Description: Unrecognized Name)
  • Encrypted Alert

The Encrypted Alerts are normal to see before a SSL session comes down. They contain an encrypted Close_Notify that flows when the server issued a SSL-Shutdown.

The TLS alerts indicating that an "Unrecognized Name" was received in the ClientHello are certainly not helping to speed up things here. The Client Hello includes server_name extension wih a TLS Server Name of aig.mir3.com which the server doesn't like.

I don't think however that those are the only reason for the poor performance of the web server as they do not delay the session that much.

I started a https session from my firefox to aig.mir3.com to see the behaviour of the site without a proxy and the response times are not very impressing there either. Also here the Client Hello contained Warning Alerts in all sessions. Shift-Ctrl-Q shows the following Statistics: alt text
So telling from the colours in the time line , this looks like a server problem to me alt text

answered 01 Mar '14, 23:12

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

edited 02 Mar '14, 22:44

So do you think it is an issue with the server because the network is fine from what I can see or is it the client?

(02 Mar '14, 21:12) ejohnson7

go to https://www.mir3.com/ and click on any of the links (Products, Contact us, whatever) and you'll get

Not Found

The requested URL /intelligent-notification/ was not found on this server.
Apache/2.2.15 (CentOS) Server at www.mir3.com Port 443

I guess the ‘intelligent’ notification did not work for their own server ;-))

Looks like they have some problems with their tech equipment. So, it could be the server(s) or the network/environment where the servers are located!

(03 Mar ‘14, 15:35) Kurt Knochner ♦

Thanks so much Kurt that really help me out a lot What type of analyzer are you using, that could help me out big-time Once again thanks

(03 Mar ‘14, 20:14) ejohnson7

Kurt you think the google safebrowsing has somthing to do with the slow response just a thought

(03 Mar ‘14, 21:44) ejohnson7

What type of analyzer are you using,

It’s called: Good old Brain 1.0. ;-)

I don’t think safebrowsing has an effect here.

(03 Mar ‘14, 22:45) Kurt Knochner ♦

you serious GOOD old Brain really :-)

(04 Mar ‘14, 07:42) ejohnson7
showing 5 of 6 show 1 more comments

0

I need to find a goid analyze

answered 04 Mar '14, 19:22

ejohnson7's gravatar image

ejohnson7
119912
accept rate: 0%