Network Trace Analysis Guide

Introduction

Network Trace Analysis Service

Online trace analysis from Advance7

From packets to root cause

Support for all trace file formats.

ntas.advance7.com

Advance Seven logo

 

Purpose

You've got a basic understanding of networking and you can drive Wireshark to a reasonable level (capture, display and filter).  You can mimic the tips and tricks that you've seen demonstrated on YouTube and you are keen to get the most out of Wireshark.  You're boss has asked you to take a look at a response time problem with an important business system.  You've successfully captured trace data from multiple points in the end-to-end system but you are struggling to analyze it.  Where do you start?  Which tips and tricks are applicable?

If this sounds familiar you've come to the right place.

This interactive guide will lead you through the analysis of network trace data for simple PC - file server systems right through to complex multi-tier business systems.

Top-down vs. Bottom-up

Many trace analysis courses approach the subject by leading the student through the study of Ethernet, IP protocols and TCP protocols.  They rely on checklists and use cases to guide the analysis.  There are several drawbacks with this approach:

  • All network traces will contain error conditions (usually recoverable), and so the analyst needs a tremendous amount of experience to determine what's important and what's not
  • The reliance on use cases means that the analyst needs an encyclopedic knowledge of such cases and be able to recognize the patterns in a wide variety of environments
  • If a similar network event scenario has not been seen before, the reliance on use cases won't produce a result
  • The examples used often lack any correlation to a user symptom; the tutorial may start with the statement, "Here we see a typical DNS issue", but how did we know we had a DNS issue in the first place, and how do we know we are addressing the right issue

To overcome these issues requires significant experience, and experience cannot be taught.

This guide is based on a top down approach.  We start where the eyeballs meet the screen, and then move down through the application, presentation, session, transport, network and data link layers.  This approach has some significant advantages over the bottom-up approach:

  • It's fast
  • It produces completely reliable results
  • It can be taught

Using this Guide

We provide a step-by-step guide to analysis, and point to the techniques you will need to apply along the way.  You can, of course, read all of this book chapter-by-chapter, but for fast results just read the first few chapters and then work through the procedure in Start Here for Analysis Guidance.

The examples in this guide are based around the use of Wireshark for protocol analysis, however the techniques used can be easily adapted to any network analysis software.

Feedback Needed

This book is a work in progress and we need your feedback.  Please post questions and share your thoughts via the forum for this course.