Wireshark-users: Re: [Wireshark-users] newbie question
From: jack craig <jcraig@xxxxxxxxxxxxx>
Date: Thu, 25 Feb 2010 14:37:43 -0800
hey tony,

as one newbie to another, i thought to suggest the expert mode.
yes, i know that doest make sense, but!

after you do your capture, analyze->expert info and take a look at the tabs.
i found the expert mode highlighted serious stuff without my having to look at the details.

try also the various statistics options and see if they too don't also shed some hi-level light on your issues?

sadly, i am just scratching the surface of individual packet contents decoding.

hth, jackc...


On 02/25/2010 01:54 PM, Tony Manetta wrote:
lets try that again...here are the frames

No.     Time        Source                Destination           Protocol
Info
      248 14.550042   192.168.1.44          24.92.226.11
TCP      [TCP Retransmission] [TCP segment of a reassembled PDU]

Frame 248 (1078 bytes on wire, 1078 bytes captured)
Ethernet II, Src: Sony_d9:95:99 (00:1a:80:d9:95:99), Dst: Cisco_d0:4f:11
(00:24:14:d0:4f:11)
Internet Protocol, Src: 192.168.1.44 (192.168.1.44), Dst: 24.92.226.11
(24.92.226.11)
Transmission Control Protocol, Src Port: 50748 (50748), Dst Port: http
(80), Seq: 190, Ack: 26, Len: 1024
      Source port: 50748 (50748)
      Destination port: http (80)
      [Stream index: 8]
      Sequence number: 190    (relative sequence number)
      [Next sequence number: 1214    (relative sequence number)]
      Acknowledgement number: 26    (relative ack number)
      Header length: 20 bytes
      Flags: 0x18 (PSH, ACK)
      Window size: 16688
      Checksum: 0x4ef6 [validation disabled]
      [SEQ/ACK analysis]
          [Number of bytes in flight: 1024]
          [TCP Analysis Flags]
              [This frame is a (suspected) retransmission]
                  [Expert Info (Note/Sequence): Retransmission (suspected)]
                      [Message: Retransmission (suspected)]
                      [Severity level: Note]
                      [Group: Sequence]
              [The RTO for this segment was: 0.294203000 seconds]
              [RTO based on delta from frame: 246]
      [Reassembled PDU in frame: 246]
      TCP segment data (1024 bytes)

No.     Time        Source                Destination           Protocol
Info
      249 14.550713   24.92.226.11          192.168.1.44
HTTP     [TCP Retransmission] HTTP/1.1 100 Continue

Frame 249 (79 bytes on wire, 79 bytes captured)
Ethernet II, Src: Cisco_d0:4f:11 (00:24:14:d0:4f:11), Dst: Sony_d9:95:99
(00:1a:80:d9:95:99)
Internet Protocol, Src: 24.92.226.11 (24.92.226.11), Dst: 192.168.1.44
(192.168.1.44)
Transmission Control Protocol, Src Port: http (80), Dst Port: 50748
(50748), Seq: 1, Ack: 190, Len: 25
      Source port: http (80)
      Destination port: 50748 (50748)
      [Stream index: 8]
      Sequence number: 1    (relative sequence number)
      [Next sequence number: 26    (relative sequence number)]
      Acknowledgement number: 190    (relative ack number)
      Header length: 20 bytes
      Flags: 0x18 (PSH, ACK)
      Window size: 260
      Checksum: 0x53fb [validation disabled]
      [SEQ/ACK analysis]
          [Number of bytes in flight: 25]
          [TCP Analysis Flags]
              [This frame is a (suspected) retransmission]
                  [Expert Info (Note/Sequence): Retransmission (suspected)]
                      [Message: Retransmission (suspected)]
                      [Severity level: Note]
                      [Group: Sequence]
              [The RTO for this segment was: 0.294992000 seconds]
              [RTO based on delta from frame: 245]
Hypertext Transfer Protocol
      HTTP/1.1 100 Continue\r\n
          [Expert Info (Chat/Sequence): HTTP/1.1 100 Continue\r\n]
              [Message: HTTP/1.1 100 Continue\r\n]
              [Severity level: Chat]
              [Group: Sequence]
          Request Version: HTTP/1.1
          Response Code: 100
      \r\n

No.     Time        Source                Destination           Protocol
Info
      250 14.550738   192.168.1.44          24.92.226.11
TCP      [TCP Dup ACK 248#1] 50748>  http [ACK] Seq=1214 Ack=26
Win=16688 Len=0 SLE=1 SRE=26

Frame 250 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: Sony_d9:95:99 (00:1a:80:d9:95:99), Dst: Cisco_d0:4f:11
(00:24:14:d0:4f:11)
Internet Protocol, Src: 192.168.1.44 (192.168.1.44), Dst: 24.92.226.11
(24.92.226.11)
Transmission Control Protocol, Src Port: 50748 (50748), Dst Port: http
(80), Seq: 1214, Ack: 26, Len: 0
      Source port: 50748 (50748)
      Destination port: http (80)
      [Stream index: 8]
      Sequence number: 1214    (relative sequence number)
      Acknowledgement number: 26    (relative ack number)
      Header length: 32 bytes
      Flags: 0x10 (ACK)
      Window size: 16688
      Checksum: 0x1126 [validation disabled]
      Options: (12 bytes)
      [SEQ/ACK analysis]
          [This is an ACK to the segment in frame: 249]
          [The RTT to ACK the segment was: 0.000025000 seconds]
          [TCP Analysis Flags]
              [This is a TCP duplicate ack]
          [Duplicate ACK #: 1]
          [Duplicate to the ACK in frame: 248]
              [Expert Info (Note/Sequence): Duplicate ACK (#1)]
                  [Message: Duplicate ACK (#1)]
                  [Severity level: Note]
                  [Group: Sequence]
__________________________________________________________________

Tony Manetta, MBA, MCP
Supervisor of Networking Technology and Services
UDSMR
716-817-7850 (office)
716-479-6258 (mobile)

On 2/25/2010 4:54 PM, Tony Manetta wrote:
Hi

just tried using wireshark to see if a network issue is causing sever
slowness when logging into a web server....i'm having issues
understanding the output of the trace...can anyone help?  when i login
locally, the login time is approximately 4 seconds but when i login
across the web, it's over 25 seconds which is unacceptable.  if this
isnt appropriate use of this list, i apologize in advance....below are
3 frames which first start showing up as issues in  my capture...any
ideas are greatly appreciated....



___________________________________________________________________________
Sent via:    Wireshark-users mailing list<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe


--
Jack Craig
Software Engineer
831.461.7100 x120
www.extraview.com