Sharkfest 17 US
Workflow-based Analysis of Wireshark Traces: Now we can all be Experts
In this session we took a new approach to packet analysis.
We analyzed a performance problem, and discovered how to reduce thousands of packets to a handful, and nail the cause.
Even with a relatively good knowledge of TCP/IP and Wireshark, it can be difficult to know where to start with the analysis of trace files. Hundreds of thousands of packets and many protocols can be totally overwhelming unless you have years of experience, or can get someone with years of experience to help. Workbench offers a systematic way to analyse traces based on the workflows modeled on the ways of experts. In this session we were able to troubleshoot a performance problem from start through to root cause using Wireshark and the community edition of Workbench.
Here's what we covered in the session:
- End-to-end transaction analysis theory
- Four patterns of packets that distinguish between a client, network or server problem
- A three-point strategy for packet analysis
- How to find the time frame of a problem
- Filtering techniques to select just the trace data needed
- How to match packets as they cross the network
- A strategy to identify the component causing the problem
- How to cross check packet analysis findings with web log information
Paul Offord, Project Leader, TribeLab
Paul has had a 39-year career in the IT industry that includes roles in hardware engineering, software engineering and network management. Prior to founding Advance7, he worked for IBM, National Semiconductor and Hitachi Data Systems. Paul and the Problem Analysts at Advance7 help IT support teams in many business sectors troubleshoot difficult performance and stability problems. Paul has recently contributed code to the Wireshark project and is currently leading the team developing Workbench.