• No results found

T2-6: Trace File Analysis - The Elephant Coming From Behind: Full Window, Window Update and TCP Keep-Alive s

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "T2-6: Trace File Analysis - The Elephant Coming From Behind: Full Window, Window Update and TCP Keep-Alive s"

Copied!
13
0
0

Loading.... (view fulltext now)

Download now ( 13 Page )

Full text

(1)

T2-6: Trace File Analysis

Coming From Behind: Full Window, Window

Update and TCP Keep-Alive’s

Laura Chappell

Founder | Wireshark University

SHARKFEST '08 | Foothill College | March 31

Betty DuBois

Principal Consultant | DuBois Training & Consulting, LLC

SHARKFEST '08

Foothill College

March 31 - April 2, 2008

6: Trace File Analysis - The Elephant

Coming From Behind: Full Window, Window

Alive’s

SHARKFEST '08 | Foothill College | March 31 - April 2, 2008

(2)

Agenda

Using Wireshark to isolate a TCP Window issue

 Expert Info

 Errors  Warnings  Notes

 Zero Window

SHARKFEST '08 | Foothill College | March 31

Zero Window  Window Update  Keep Alive  Window Full  Chat  Time Column  Delta  Delta Displayed

Using Wireshark to isolate a TCP Window issue

(3)

Best Practices for Protocol Analysis

Onsite v. offsite analysis

Create a baseline when performance is acceptable

Analyze application traffic before deployment (capacity planning) Troubleshooting Tips:

 Who complained?

 Begin as close to the user as possible

 Name captures appropriately (sue1, sue2, sue3mac, etc.)

 Move analyzer as needed or use multiple analyzers and agents

Time-sync if using multiple analyzers

 Time-sync if using multiple analyzers

 Have taps/hubs in place for when the need arises  Focus on the time column (delta time setting)  Consider command-line capture (nmcap/tshark)

Security Tips:

 Baseline protocols, applications, traffic patterns

 Examine summary and protocol information for anomalies  Look for signatures in questionable traffic

 Snort website has many signatures in the rule sets

Best Practices for Protocol Analysis

Create a baseline when performance is acceptable

Analyze application traffic before deployment (capacity planning)

Name captures appropriately (sue1, sue2, sue3mac, etc.)

Move analyzer as needed or use multiple analyzers and agents Have taps/hubs in place for when the need arises

Focus on the time column (delta time setting) line capture (nmcap/tshark) Baseline protocols, applications, traffic patterns

Examine summary and protocol information for anomalies Look for signatures in questionable traffic

(4)

Expert Info – Errors

Error (

red

): serious problem, e.g. [Malformed

Packet]

 Malformed: malformed packet or dissector has a

bug, dissection of this packet aborted

Expert Errors do NOT always mean a network

Expert Errors do NOT always mean a network

or communication error, they may indication a

dissector errors

Errors

: serious problem, e.g. [Malformed

: malformed packet or dissector has a bug, dissection of this packet aborted

Expert Errors do NOT always mean a network

Expert Errors do NOT always mean a network

or communication error, they may indication a

(5)

Expert Info – Warnings

Warn (yellow): warning, e.g. application returned an

"unusual" error code like a connection problem Are the fast retransmissions the issue?

 Calculate percentage of retransmitted vs. normal packets.  Over 1% error ratio merits further investigation. That is not  Over 1% error ratio merits further investigation. That is not

the case here.

Attend Session T2-8 for further info on Retransmissions and Fast Retransmissions

Warnings

: warning, e.g. application returned an "unusual" error code like a connection problem

Are the fast retransmissions the issue?

Calculate percentage of retransmitted vs. normal packets. Over 1% error ratio merits further investigation. That is not Over 1% error ratio merits further investigation. That is not

8 for further info on Retransmissions and Fast Retransmissions

(6)

Expert Info – Notes

Note (cyan): notable things, e.g. an application returned

an "usual" error code like HTTP 404

 Zero window  Window update  Keep-Alive  Duplicate ACK (Covered in Session T2-8)

Notes

: notable things, e.g. an application returned an "usual" error code like HTTP 404

(7)

Expert Info – Notes

The key to determining when a Zero Window is truly an issue, is how long does it stay at zero before updating. The example below shows a host processing its data

and updating the TCP window very quickly.

tcp-window-good.pcap

Notes – Zero Window

The key to determining when a Zero Window is truly an issue, is how long does it stay at zero before updating. The example below shows a host processing its data

and updating the TCP window very quickly.

(8)

Expert Info – Notes

Wireshark creates an Expert Note whenever the TCP window size increases.

Warning: Wireshark does NOT create the Note when the window size is decreasing.

Notes – Window Update

Wireshark creates an Expert Note whenever the TCP

Warning: Wireshark does NOT create the Note when the window size is decreasing.

(9)

Expert Info – Notes

Normal Keep-Alive’s should be sent at regular intervals when no data is being transferred to keep the session alive.

In this trace, what do you notice about the Delta times?

Notes – Keep-Alive

Alive’s should be sent at regular intervals when no data is being transferred to keep the session In this trace, what do you notice about the Delta times?

(10)

Timings

Using the Time columns makes isolating faults much more efficient.

 Delta previous packet may not be seen  Delta Displayed only care about seen packets

Using the Time columns makes isolating faults much

previous packet may not be seen only care about seen packets

(11)

Receiver Congestion

SEQ 3000 – 1460 bytes of data

SEQ 2000 – 0 bytes of data; ACK 4460, Win=5840

SEQ 4460 – 1460 bytes of data

SEQ 5920– 1460 bytes of data

SEQ 7380 – 1460 bytes of data

SEQ 2000 – 0 bytes of data; ACK 5920, Win=4380

SEQ 2000 – 0 bytes of data; ACK 7380, Win=2920

SEQ 8840 – 1460 bytes of data

SEQ 10300 – 1460 bytes of data

SEQ 2000 – 0 bytes of data; ACK 8840, Win=1460

SEQ 2000 – 0 bytes of data; ACK 8840, Win=0

Receiver Congestion

1460 bytes of data

0 bytes of data; ACK 4460, Win=5840

1460 bytes of data

1460 bytes of data

1460 bytes of data 1460

1460

0 bytes of data; ACK 5920, Win=4380

0 bytes of data; ACK 7380, Win=2920

1460 bytes of data

1460 bytes of data

0 bytes of data; ACK 8840, Win=1460

0 bytes of data; ACK 8840, Win=0

1460 1460

(12)

Lab: Congestion

File: download-bad.cap

Select View > Time Display Format > Seconds Since Previous Displayed Packet

Sort the packets on the Time column Sort the packets on the Time column

What is the cause of the highest delays in this trace file? Re-sort by the number column

 Which packet filled the receive buffer?

 What was the total delay time caused by receiver

congestion?

 Was packet loss and high latency the biggest problem in this

trace file?

Lab: Congestion

Select View > Time Display Format > Seconds Since Previous Displayed Packet

Sort the packets on the Time column Sort the packets on the Time column

What is the cause of the highest delays in this trace file? sort by the number column

Which packet filled the receive buffer?

What was the total delay time caused by receiver

(13)

What’s Next?

Laura’s Lab Kit v9

In show bags as well as…

ISO image: www.novell.com/connectionmagazine/laurachappell.html

Wireshark University: www.wiresharkU.com

Laura’s Blog: laurachappell.blogspot.com/

www.novell.com/connectionmagazine/laurachappell.html www.wiresharkU.com

References

Download now ( PDF - 13 Page - 436.21 KB )

Related documents

Variational techniques for medical and image processing applications using generalized Gaussian distribution

We also present a variational learning framework for the infinite generalized Gaussian mixture (IGGM) to address the model selection problem; i.e., determina- tion of the number

On alternative methods of determining Radius of Curvature using Newton s Rings set up

By knowing the fringe number, the thickness of the air film which creates the path difference causing the destructive interference leading to the formation of that dark fringe is

Gaia: Solar System observations

‰ centroiding errors lead to offset in the window ‰ transit velocity errors lead to a drift in the window. „ A moving object will also drift relative to

L/C/TF Number(s) Closing Date (Original) Total Project Cost (USD) IBRD Jun ,566,277.00

The project development objectives (PDOs) were " to improve the capacity of the main navigation channel in Meizhou Bay and enhance the management capacity of Meizhou Bay

Biodiversity–multifunctionality relationships depend on identity and number of measured functions

Abstract: Biodiversity ensures ecosystem functioning and provisioning of ecosystem services, but it re- mains unclear how biodiversity–ecosystem multifunctionality relationships

Using Alpha-beta Partnership Method in Teaching Speaking to the First Semester Students of Stai-bs Lubuklinggau

Having administered the pre-test, the writer conducted the research by giving the student ’s treatments, it means that the writer taught speaking through Alpha-Beta

Australia UK bilateral economic relations

I want to begin by looking at the nature of the economic relationship between Australia and the UK, which I want to think about in terms of three flows; flows of goods and services

Child Labour and Its Determinants in Informal Sector of Onitsha, Anambra State , Nigeria.

The result showed that a unit increase in the age of children reduced the probability of combining school with work and the determinants of child labour were age,