Wireshark-users: Re: [Wireshark-users] Intermittent Performance Problems
From: "Martin Visser" <martinvisser99@xxxxxxxxx>
Date: Wed, 12 Nov 2008 15:28:55 +1100
Normally I would say, yes, you want to capture the "background" traffic as well. You can then use the IO graph (with 2 approriate inbound and outbound filters) and see if you have correllation between background traffic and you application slowness. You can also see if other traffic using the same path is experiencing the same or different response times.
If you have other means of measuring the traffic throughput your network bottleneck, then there is an alternative. For instance, get interface data (probably via SNMP) from a router/switch that is in the path, But you will need to poll it pretty frequently (say 5 seconds) to get useful data. (if the congestion only occurs for the 5 seconds when the problem occurs you would want to see that.) . Getting 1 minute or longer sample data wont give you clues to instantaneous congestion.
Another alternative is to send probe traffic that traverses the link but does not significantly impact on the network, client or server. This might be as simple as ICMP pings between client and server. (or another client on the same switch and another server or even the switch management IP address). This will enable you to measure the round-trip-time of the network, less whatever is the probe processing time at the far end, which should be small. If you get consistent response times for these (and you can capture these as well in wireshark), but get different variation for your application traffic then you can conclude you have server processing issue. Of course vice versa if you can see the ping response vary as does the app traffic then you may have network congestion issues. This of course assumes your network treats ICMP (or whatever other probe you use) as equally as the app traffic. If you do have QoS policies on your router/switches then you need to account for how the network treats traffic differently.
Martin
--
Regards, Martin
MartinVisser99@xxxxxxxxx
If you have other means of measuring the traffic throughput your network bottleneck, then there is an alternative. For instance, get interface data (probably via SNMP) from a router/switch that is in the path, But you will need to poll it pretty frequently (say 5 seconds) to get useful data. (if the congestion only occurs for the 5 seconds when the problem occurs you would want to see that.) . Getting 1 minute or longer sample data wont give you clues to instantaneous congestion.
Another alternative is to send probe traffic that traverses the link but does not significantly impact on the network, client or server. This might be as simple as ICMP pings between client and server. (or another client on the same switch and another server or even the switch management IP address). This will enable you to measure the round-trip-time of the network, less whatever is the probe processing time at the far end, which should be small. If you get consistent response times for these (and you can capture these as well in wireshark), but get different variation for your application traffic then you can conclude you have server processing issue. Of course vice versa if you can see the ping response vary as does the app traffic then you may have network congestion issues. This of course assumes your network treats ICMP (or whatever other probe you use) as equally as the app traffic. If you do have QoS policies on your router/switches then you need to account for how the network treats traffic differently.
Martin
On Wed, Nov 12, 2008 at 3:01 PM, Cyril Spiro <spiroc@xxxxxxxxxxxxxxx> wrote:
Thanks, Martin.
In order to see what 'other traffic is going on the link', do we need to
capture all packets versus only the packets to and from ip address .221?
The problem has been that it's such a huge volume of data it bogs down the
sniffer and possibly even stops capturing mid-day (or so it seemed one
time).
Please let me know if I understand your statement correctly.
Thanks,
spiroc
-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of
wireshark-users-request@xxxxxxxxxxxxx
Subject: Wireshark-users Digest, Vol 30, Issue 271. Re: Intermittent Performance Problems (Martin Visser)
Send Wireshark-users mailing list submissions to
wireshark-users@xxxxxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit
https://wireshark.org/mailman/listinfo/wireshark-users
or, via email, send a message with subject or body 'help' to
wireshark-users-request@xxxxxxxxxxxxx
You can reach the person managing the list at
wireshark-users-owner@xxxxxxxxxxxxx
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wireshark-users digest..."
Today's Topics:
----------------------------------------------------------------------
Message: 1
Date: Wed, 12 Nov 2008 14:40:01 +1100
From: "Martin Visser" <martinvisser99@xxxxxxxxx><b3739b0c0811111940u1826116fia548186d9d5d93fe@xxxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] Intermittent Performance Problems
Content-Type: text/plain; charset="utf-8"
/attachment.html<http://www.wireshark.org/lists/wireshark-users/attachments/
Of course my 2.3s below should read 3.2s. Thanks for the pcap - it makes it
easy to read.
On Wed, Nov 12, 2008 at 1:50 PM, Martin Visser
<martinvisser99@xxxxxxxxx>wrote:
> I had a quick look. The main delay is the 2.3 seconds between the server
> ACKing your post (frame 169241), and it then following through with the
417
> byte response (frame 169242). As the round trip time of packets before and
> after are very quick (a few ms) then I expect that the 2.3 secs is at the
> server end. (But you can't know *absolutely* for sure unless you know
what
> other traffic is going on the link at the time).
>
>
> On Wed, Nov 12, 2008 at 1:31 PM, Martin Visser
<martinvisser99@xxxxxxxxx>wrote:
>
>> Any chance of doing a "Save as" displyed packets (in pcap) format rather
>> than printing displayed?
>>
>>
>> On Wed, Nov 12, 2008 at 1:21 PM, Cyril Spiro
<spiroc@xxxxxxxxxxxxxxx>wrote:
>>
>>> First of all, thanks to those who responded to my last post. The
answers
>>> were very helpful in educating me on interpreting the wireshark output.
>>>
>>> The last example was a random sample of a tcp stream which indicated a
>>> 1.3
>>> second duration from SYN to FIN ACK, with about 50% of the time used for
>>> server processes and 50% for transporting data via the network. These
>>> durations were within tolerable limits.
>>>
>>> In this new attached example, the user pointed us to a specific incident
>>> which took 5 seconds between the time that he clicked the submit button
>>> on
>>> the webpage and the screen refreshed. We confirmed the user's statement
>>> with the wireshark output. The question is why?
>>>
>>> Can anyone see from the attached report what could have caused the
delay?
>>> Note, that this capture was exclusively for data between the users PC
and
>>> the server. We have the full tcpdump file for the day for the users PC,
>>> but
>>> it is very large (33MB).
>>>
>>> Also, please note that when the user submitted data in the same html
form
>>> at
>>> different times of the day the duration was consistently significantly
>>> shorter (<1s) and within tolerable limits. So, it appears that
something
>>> unique happened during the attached example.
>>>
>>> In summary, users are complaining that this intermittent slowness is
>>> frustrating to them and the attached example is a rare glimpse into one
>>> of
>>> these events. The most important question to answer at this time is can
>>> we
>>> tell if the delay is being caused by the server or by the network?
>>>
>>> Thanks in advance for your help,
>>> spiroc
>>>
>>>
>>> -----Original Message-----
>>> From: wireshark-users-bounces@xxxxxxxxxxxxx
>>> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of
>>> wireshark-users-request@xxxxxxxxxxxxx
>>> Sent: Monday, November 10, 2008 5:42 AM
>>> To: wireshark-users@xxxxxxxxxxxxx
>>> Subject: Wireshark-users Digest, Vol 30, Issue 17
>>>
>>> Send Wireshark-users mailing list submissions to
>>> wireshark-users@xxxxxxxxxxxxx
>>>
>>> To subscribe or unsubscribe via the World Wide Web, visit
>>> https://wireshark.org/mailman/listinfo/wireshark-users
>>> or, via email, send a message with subject or body 'help' to
>>> wireshark-users-request@xxxxxxxxxxxxx
>>>
>>> You can reach the person managing the list at
>>> wireshark-users-owner@xxxxxxxxxxxxx
>>>
>>> When replying, please edit your Subject line so it is more specific
>>> than "Re: Contents of Wireshark-users digest..."
>>>
>>>
>>> Today's Topics:
>>>
>>> 1. Not need to save packet data (Adisak)
>>> 2. Re: Not need to save packet data (j.snelders@xxxxxxxxxx)
>>> 3. Re: Intermittent Performance Problems on (Martin Visser)
>>> 4. Re: Not need to save packet data (Jaap Keuter)
>>>
>>>
>>> ----------------------------------------------------------------------
>>>
>>> Message: 1
>>> Date: Mon, 10 Nov 2008 08:34:32 +0700
>>> From: "Adisak" <adisak@xxxxxxxxxxx>
>>> Subject: [Wireshark-users] Not need to save packet data
>>> To: "'Community support list for Wireshark'"
>>> <wireshark-users@xxxxxxxxxxxxx>
>>> Message-ID: <200811100136.mAA1aMBV026303@xxxxxxxxxxxxxxx>
>>> Content-Type: text/plain; charset="us-ascii"
>>>
>>> Hi all,
>>>
>>> I'm very new for Wireshark.
>>>
>>>
>>>
>>> I've download and used Wireshark on a few day ago.
>>>
>>> I'll use Wireshark in my company for check the traffic of proxy server.
>>>
>>> But, I'd like to collect only Time, IP address both source and
>>> Destination,
>>> Protocol type and information only.
>>>
>>> Not need to save packet data, Because log file will growth big in a
>>> shortly
>>> time.
>>>
>>> I've try to setting Wireshark for from 2 days ago but I can't.
>>>
>>> Anyone have an idea for my question?
>>>
>>>
>>>
>>> P.S. I used Wireshark on windows.
>>>
>>>
>>>
>>> Best Regards,
>>>
>>> Adisak
>>>
>>>
>>>
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>> URL:
>>>
>>>
http://www.wireshark.org/lists/wireshark-users/attachments/20081110/ee6f18e8
>>>
/attachment.htm<http://www.wireshark.org/lists/wireshark-users/attachments/220081110/ee6f18e8/attachment.html>
>>>
>>> ------------------------------
>>>
>>> Message: 2
>>> Date: Mon, 10 Nov 2008 06:20:26 +0100
>>> From: j.snelders@xxxxxxxxxx
>>> Subject: Re: [Wireshark-users] Not need to save packet data
>>> To: adisak@xxxxxxxxxxx, "Community support list for Wireshark"
>>> <wireshark-users@xxxxxxxxxxxxx>
>>> Message-ID: <481B206B000A3AFE@xxxxxxxxxxxxxxxxxxxxxxxxxx>
>>> Content-Type: text/plain; charset="US-ASCII"
>>>
>>> Hi Adisak,
>>>
>>> You can use the option: Limit each packet to 68 bytes.
>>> You'll find it at
>>> Capture -> Capture Options
>>>
>>> Thanks
>>> Joan
>>>
>>> >To: "'Community support list for Wireshark'"
>>> <wireshark-users@xxxxxxxxxxxxx>
>>> On Mon, 10 Nov 2008 08:34:32 +0700 Adisak Wrote:
>>> >Hi all,
>>> >
>>> >I'm very new for Wireshark.
>>> >
>>> >
>>> >
>>> >I've download and used Wireshark on a few day ago.
>>> >
>>> >I'll use Wireshark in my company for check the traffic of proxy server.
>>> >
>>> >But, I'd like to collect only Time, IP address both source and
>>> Destination,
>>> >Protocol type and information only.
>>> >
>>> >Not need to save packet data, Because log file will growth big in a
>>> shortly
>>> >time.
>>> >
>>> >I've try to setting Wireshark for from 2 days ago but I can't.
>>> >
>>> >Anyone have an idea for my question?
>>> >
>>> >
>>> >
>>> >P.S. I used Wireshark on windows.
>>> >
>>> >
>>> >
>>> >Best Regards,
>>> >
>>> >Adisak
>>> >
>>> >
>>> >
>>> >_______________________________________________
>>> >Wireshark-users mailing list
>>> >Wireshark-users@xxxxxxxxxxxxx
>>> >https://wireshark.org/mailman/listinfo/wireshark-users
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------
>>>
>>> Message: 3
>>> Date: Mon, 10 Nov 2008 16:30:21 +1100
>>> From: "Martin Visser" <martinvisser99@xxxxxxxxx>
>>> Subject: Re: [Wireshark-users] Intermittent Performance Problems on
>>> To: "Community support list for Wireshark"
>>> <wireshark-users@xxxxxxxxxxxxx>
>>> Message-ID:
>>> <b3739b0c0811092130s45347b93va3d53d24f51f044b@xxxxxxxxxxxxxx>
>>> Content-Type: text/plain; charset=UTF-8
>>>
>>> Cyril,
>>>
>>> Rather than sending the text output, it is probably more useful to
>>> send the pcap capture file (unless you have private data you need to
>>> obscure)
>>>
>>> Only seeing one side makes it a little hard (make sure filter includes
>>> client and server as both source and destination), however what can be
>>> gleaned is :-
>>>
>>> 1. The connection response (3-way handshake SYN/SYN-ACK/ACK) is 1.4ms
>>> (packet 1822-1821). This indicates your server is physically close and
>>> the TCP stack is responsive
>>> 2. Your client issued a HTTP GET straight after (packet 1823) and then
>>> ACKed the first bytes from the server response in less then 594ms
>>> (packet 1839 - 1823). More that likely your server won't start sending
>>> data until it has finished the backend database server transaction,
>>> but that is totally dependent on how you web app is built. So it is
>>> likely this is your server processing time
>>> 3. You received the last byte from that stream sometime before packet
>>> 1873. Thus time from first byte to last byte received is approximately
>>> 665ms. This is the time of flight of your received data. The ACKs show
>>> that your received 56152 bytes in that time, thus your throughput was
>>> 84430 Bps or 675Kbps. This may be good or bad depending on your
>>> network pipe between client and servers and how much concurrent usage
>>> occurred.
>>>
>>> So for your transaction I would conclude around half of the time was
>>> backend processing (the 594ms) and half simply filling the available
>>> pipe with your data (the 665ms)
>>>
>>>
>>> (Note at packet 95288 your reused the TCP port 2398 some hours later -
>>> so this is from another session to the first)
>>>
>>>
>>> Regards, Martin
>>>
>>>
>>> On Mon, Nov 10, 2008 at 1:04 AM, Cyril Spiro <spiroc@xxxxxxxxxxxxxxx>
>>> wrote:
>>> > Ryan,
>>> >
>>> > Thank you for your response.
>>> >
>>> > I have followed your recommendation and taken a snap shot of one TCP
>>> stream
>>> > during a period when the users stated the intranet-based web
>>> application
>>> was
>>> > slow.
>>> >
>>> > Attached is a sample of one TCP Stream which took 1.3 seconds. I
>>> provide
>>> > this as an example for assistance in interpreting the Wireshark
>>> results.
>>> >
>>> > What surprised me is that all packets indicate communication from
>>> > 192.168.0.221 (client) to 192.168.0.150 (server) and none in the other
>>> > direction.
>>> >
>>> > Again, our goal is to know if this screen rendering took 1.3 seconds
>>> because
>>> > the server was busy processing the request (database calls, etc.) or
if
>>> the
>>> > network was jammed outside of the server.
>>> >
>>> > Any insight that you can provide on how to read the results in order
to
>>> > answer this question is much appreciated.
>>> >
>>> > spiroc
>>> >
>>> >
>>> >
>>> > -----Original Message-----
>>> > From: wireshark-users-bounces@xxxxxxxxxxxxx
>>> > [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of
>>> > wireshark-users-request@xxxxxxxxxxxxx
>>> > Sent: Thursday, November 06, 2008 7:12 PM
>>> > To: wireshark-users@xxxxxxxxxxxxx
>>> > Subject: Wireshark-users Digest, Vol 30, Issue 11
>>> >
>>> > Send Wireshark-users mailing list submissions to
>>> > wireshark-users@xxxxxxxxxxxxx
>>> >
>>> > To subscribe or unsubscribe via the World Wide Web, visit
>>> > https://wireshark.org/mailman/listinfo/wireshark-users
>>> > or, via email, send a message with subject or body 'help' to
>>> > wireshark-users-request@xxxxxxxxxxxxx
>>> >
>>> > You can reach the person managing the list at
>>> > wireshark-users-owner@xxxxxxxxxxxxx
>>> >
>>> > When replying, please edit your Subject line so it is more specific
>>> > than "Re: Contents of Wireshark-users digest..."
>>> >
>>> >
>>> > Today's Topics:
>>> >
>>> > 1. Re: tshark creates files in temp dir (j.snelders@xxxxxxxxxx)
>>> > 2. Re: tshark creates files in temp dir (Al Aghili)
>>> > 3. Re: tshark creates files in temp dir (Stephen Fisher)
>>> > 4. Re: tshark creates files in temp dir (Al Aghili)
>>> > 5. Re: tshark creates files in temp dir (Stephen Fisher)
>>> > 6. Re: tshark creates files in temp dir (Guy Harris)
>>> > 7. Re: tshark creates files in temp dir (Al Aghili)
>>> > 8. Re: Intermittent Performance Problems on Intranet (Ryan Zuidema)
>>> >
>>> >
>>> > ----------------------------------------------------------------------
>>> >
>>> > Message: 1
>>> > Date: Thu, 6 Nov 2008 21:26:45 +0100
>>> > From: j.snelders@xxxxxxxxxx
>>> > Subject: Re: [Wireshark-users] tshark creates files in temp dir
>>> > To: "Community support list for Wireshark"
>>> > <wireshark-users@xxxxxxxxxxxxx>
>>> > Message-ID: <481B3765000A0AD6@xxxxxxxxxxxxxxxxxxxxxxxxxx>
>>> > Content-Type: text/plain; charset="US-ASCII"
>>> >
>>> > Hi Al,
>>> >
>>> > I think that you have to define an output file:
>>> > $ tshark -i 2 -w output.cap
>>> >
>>> > HTH
>>> > Joan
>>> >
>>> > On Thu, 6 Nov 2008 10:39:32 -0700 Al Aghili wrote:
>>> >>Subject: [Wireshark-users] tshark creates files in temp dir
>>> >>
>>> >>Hi,
>>> >>When we run tshark on windows it sometimes creates these large files
in
>>> >>Windows/temp directory that start with "ether". Is there a way to turn
>>> >>this off?
>>> >>
>>> >>Thanks
>>> >>Al
>>> >>
>>> >>
>>> >>_______________________________________________
>>> >>Wireshark-users mailing list
>>> >>Wireshark-users@xxxxxxxxxxxxx
>>> >>https://wireshark.org/mailman/listinfo/wireshark-users
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > ------------------------------
>>> >
>>> > Message: 2
>>> > Date: Thu, 6 Nov 2008 14:08:19 -0700
>>> > From: "Al Aghili" <aaghili@xxxxxxxxxxxxxxxxxx>
>>> > Subject: Re: [Wireshark-users] tshark creates files in temp dir
>>> > To: "'Community support list for Wireshark'"
>>> > <wireshark-users@xxxxxxxxxxxxx>
>>> > Message-ID: <00b601c94053$cf285540$2602a8c0@AlDell01>
>>> > Content-Type: text/plain; charset="us-ascii"
>>> >
>>> > Hi,
>>> > We're running tshark with the following command.
>>> > tshark -i 2 -V -l
>>> >
>>> > Then we read the standard out so we don't want to create an output
>>> file.
>>> >
>>> >
>>> > Thanks
>>> > Al
>>> >
>>> > -----Original Message-----
>>> > From: wireshark-users-bounces@xxxxxxxxxxxxx
>>> > [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of
>>> > j.snelders@xxxxxxxxxx
>>> > Sent: Thursday, November 06, 2008 1:27 PM
>>> > To: Community support list for Wireshark
>>> > Subject: Re: [Wireshark-users] tshark creates files in temp dir
>>> >
>>> > Hi Al,
>>> >
>>> > I think that you have to define an output file:
>>> > $ tshark -i 2 -w output.cap
>>> >
>>> > HTH
>>> > Joan
>>> >
>>> > On Thu, 6 Nov 2008 10:39:32 -0700 Al Aghili wrote:
>>> >>Subject: [Wireshark-users] tshark creates files in temp dir
>>> >>
>>> >>Hi,
>>> >>When we run tshark on windows it sometimes creates these large files
in
>>> >>Windows/temp directory that start with "ether". Is there a way to turn
>>> >>this off?
>>> >>
>>> >>Thanks
>>> >>Al
>>> >>
>>> >>
>>> >>_______________________________________________
>>> >>Wireshark-users mailing list
>>> >>Wireshark-users@xxxxxxxxxxxxx
>>> >>https://wireshark.org/mailman/listinfo/wireshark-users
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > Wireshark-users mailing list
>>> > Wireshark-users@xxxxxxxxxxxxx
>>> > https://wireshark.org/mailman/listinfo/wireshark-users
>>> >
>>> >
>>> >
>>> > ------------------------------
>>> >
>>> > Message: 3
>>> > Date: Thu, 6 Nov 2008 14:39:25 -0700
>>> > From: Stephen Fisher <stephentfisher@xxxxxxxxx>
>>> > Subject: Re: [Wireshark-users] tshark creates files in temp dir
>>> > To: Community support list for Wireshark
>>> > <wireshark-users@xxxxxxxxxxxxx>
>>> > Message-ID: <20081106213925.GA40586@shadow.local>
>>> > Content-Type: text/plain; charset=us-ascii
>>> >
>>> > On Thu, Nov 06, 2008 at 10:39:32AM -0700, Al Aghili wrote:
>>> >
>>> >> When we run tshark on windows it sometimes creates these large files
>>> >> in Windows/temp directory that start with "ether". Is there a way to
>>> >> turn this off?
>>> >
>>> > These files are used for temporarily storing captured data for the
>>> > session that you run tshark for. They should be deleted when tshark
is
>>> > closed and able to quit gracefully. They cannot be turned off. What
>>> > version of tshark/Wireshark are you using? How are you stopping
>>> tshark?
>>> >
>>> >
>>> > Steve
>>> >
>>> >
>>> >
>>> > ------------------------------
>>> >
>>> > Message: 4
>>> > Date: Thu, 6 Nov 2008 16:01:40 -0700
>>> > From: "Al Aghili" <aaghili@xxxxxxxxxxxxxxxxxx>
>>> > Subject: Re: [Wireshark-users] tshark creates files in temp dir
>>> > To: "'Community support list for Wireshark'"
>>> > <wireshark-users@xxxxxxxxxxxxx>
>>> > Message-ID: <00c201c94063$a2dc8230$2602a8c0@AlDell01>
>>> > Content-Type: text/plain; charset="us-ascii"
>>> >
>>> > We're stopping it by killing the tshark process through a kill command
>>> > which I would think is not graceful. How do you recommend killing
>>> tshark
>>> > programmatically?
>>> >
>>> > Thanks
>>> > Al
>>> >
>>> > -----Original Message-----
>>> > From: wireshark-users-bounces@xxxxxxxxxxxxx
>>> > [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Stephen
>>> > Fisher
>>> > Sent: Thursday, November 06, 2008 2:39 PM
>>> > To: Community support list for Wireshark
>>> > Subject: Re: [Wireshark-users] tshark creates files in temp dir
>>> >
>>> > On Thu, Nov 06, 2008 at 10:39:32AM -0700, Al Aghili wrote:
>>> >
>>> >> When we run tshark on windows it sometimes creates these large files
>>> >> in Windows/temp directory that start with "ether". Is there a way to
>>> >> turn this off?
>>> >
>>> > These files are used for temporarily storing captured data for the
>>> > session that you run tshark for. They should be deleted when tshark
is
>>> > closed and able to quit gracefully. They cannot be turned off. What
>>> > version of tshark/Wireshark are you using? How are you stopping
>>> tshark?
>>> >
>>> >
>>> > Steve
>>> >
>>> > _______________________________________________
>>> > Wireshark-users mailing list
>>> > Wireshark-users@xxxxxxxxxxxxx
>>> > https://wireshark.org/mailman/listinfo/wireshark-users
>>> >
>>> >
>>> >
>>> > ------------------------------
>>> >
>>> > Message: 5
>>> > Date: Thu, 6 Nov 2008 16:24:58 -0700
>>> > From: Stephen Fisher <stephentfisher@xxxxxxxxx>
>>> > Subject: Re: [Wireshark-users] tshark creates files in temp dir
>>> > To: Community support list for Wireshark
>>> > <wireshark-users@xxxxxxxxxxxxx>
>>> > Message-ID: <20081106232458.GA44378@shadow.local>
>>> > Content-Type: text/plain; charset=us-ascii
>>> >
>>> > On Thu, Nov 06, 2008 at 04:01:40PM -0700, Al Aghili wrote:
>>> >
>>> >> We're stopping it by killing the tshark process through a kill
command
>>> >> which I would think is not graceful. How do you recommend killing
>>> >> tshark programmatically?
>>> >
>>> > I assume you're using some sort of Unix? In that case, SIGTERM (15),
>>> > SIGINT (2) and SIGHUP (1) are caught and should result in a graceful
>>> > shutdown of tshark. A SIGKILL (9) is not catchable and forces tshark
>>> to
>>> > quit immediately. Which are you using?
>>> >
>>> >
>>> > Steve
>>> >
>>> >
>>> >
>>> > ------------------------------
>>> >
>>> > Message: 6
>>> > Date: Thu, 6 Nov 2008 15:53:21 -0800
>>> > From: Guy Harris <guy@xxxxxxxxxxxx>
>>> > Subject: Re: [Wireshark-users] tshark creates files in temp dir
>>> > To: Community support list for Wireshark
>>> > <wireshark-users@xxxxxxxxxxxxx>
>>> > Message-ID: <7EA5C406-16B1-4425-969B-87EC2FB1BFD3@xxxxxxxxxxxx>
>>> > Content-Type: text/plain; charset=WINDOWS-1252; format=flowed;
>>> > delsp=yes
>>> >
>>> >
>>> > On Nov 6, 2008, at 9:39 AM, Al Aghili wrote:
>>> >
>>> >> When we run tshark on windows it sometimes creates these large files
>>> >> in Windows/temp directory that start with ?ether?. Is there a way to
>>> >> turn this off?
>>> >
>>> > Currently, no. TShark runs dumpcap to do the traffic capture, and
>>> > currently, if you run it without the "-w" flag, tells dumpcap to write
>>> > to a temporary file, and reads from the temporary file.
>>> >
>>> > At some point it should be changed to, in that case, have dumpcap
>>> > write the packets on a pipe, and read from the pipe.
>>> >
>>> > When you terminate TShark with ^C, then it should get rid of the
>>> > file. Is the problem that the file exists while the capture is being
>>> > done (in which case there's currently nothing you can do to stop it),
>>> > or that the file remains around after you terminate TShark?
>>> >
>>> > ------------------------------
>>> >
>>> > Message: 7
>>> > Date: Thu, 6 Nov 2008 16:59:18 -0700
>>> > From: "Al Aghili" <aaghili@xxxxxxxxxxxxxxxxxx>
>>> > Subject: Re: [Wireshark-users] tshark creates files in temp dir
>>> > To: "'Community support list for Wireshark'"
>>> > <wireshark-users@xxxxxxxxxxxxx>
>>> > Message-ID: <00c701c9406b$aeec7460$2602a8c0@AlDell01>
>>> > Content-Type: text/plain; charset="us-ascii"
>>> >
>>> > Guy,
>>> > I think we may have to manually delete the files after we kill the
>>> > tshark process. That was the problem I think. There were files left
>>> over
>>> > because we are killing the process programmatically (not ^C).
>>> >
>>> > In a high traffic environment these files tend to get very big. So
your
>>> > solution to write the packets on a pipe might work best in the future.
>>> >
>>> > At the same time if that increases the ram consumption then that's a
>>> > bigger problem because right now its on disk.
>>> >
>>> > Thanks for the help.
>>> >
>>> > Al
>>> >
>>> > -----Original Message-----
>>> > From: wireshark-users-bounces@xxxxxxxxxxxxx
>>> > [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
>>> > Sent: Thursday, November 06, 2008 4:53 PM
>>> > To: Community support list for Wireshark
>>> > Subject: Re: [Wireshark-users] tshark creates files in temp dir
>>> >
>>> >
>>> > On Nov 6, 2008, at 9:39 AM, Al Aghili wrote:
>>> >
>>> >> When we run tshark on windows it sometimes creates these large files
>>> >> in Windows/temp directory that start with "ether". Is there a way to
>>> >> turn this off?
>>> >
>>> > Currently, no. TShark runs dumpcap to do the traffic capture, and
>>> > currently, if you run it without the "-w" flag, tells dumpcap to write
>>> > to a temporary file, and reads from the temporary file.
>>> >
>>> > At some point it should be changed to, in that case, have dumpcap
>>> > write the packets on a pipe, and read from the pipe.
>>> >
>>> > When you terminate TShark with ^C, then it should get rid of the
>>> > file. Is the problem that the file exists while the capture is being
>>> > done (in which case there's currently nothing you can do to stop it),
>>> > or that the file remains around after you terminate TShark?
>>> > _______________________________________________
>>> > Wireshark-users mailing list
>>> > Wireshark-users@xxxxxxxxxxxxx
>>> > https://wireshark.org/mailman/listinfo/wireshark-users
>>> >
>>> >
>>> >
>>> > ------------------------------
>>> >
>>> > Message: 8
>>> > Date: Thu, 6 Nov 2008 17:13:14 -0700
>>> > From: "Ryan Zuidema" <Ryan.Zuidema@xxxxxxxxxxx>
>>> > Subject: Re: [Wireshark-users] Intermittent Performance Problems on
>>> > Intranet
>>> > To: "'Community support list for Wireshark'"
>>> > <wireshark-users@xxxxxxxxxxxxx>
>>> > Message-ID: <000d01c9406d$a0661f70$e1325e50$@Zuidema@xxxxxxxxxxx>
>>> > Content-Type: text/plain; charset="us-ascii"
>>> >
>>> > Spiro,
>>> >
>>> >
>>> >
>>> > Yes that is exactly what Wireshark is good for, and for a beginner
that
>>> is
>>> > an excellent place to start. You will want to capture off of a
>>> mirrored/span
>>> > port to begin with if possible. Running a live capture on the server
>>> could
>>> > use up more resources, and potentially give you a false reading. If
you
>>> have
>>> > to capture on the server, you will need to run a simultaneous capture
>>> on
>>> an
>>> > affected client as well.
>>> >
>>> >
>>> >
>>> > Take a capture and pay attention to the timing between request and
>>> response
>>> > from the server.
>>> >
>>> >
>>> >
>>> > Ryan Zuidema
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > From: wireshark-users-bounces@xxxxxxxxxxxxx
>>> > [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Cyril
>>> Spiro
>>> > Sent: 2008-11-06 07:04
>>> > To: wireshark-users@xxxxxxxxxxxxx
>>> > Subject: [Wireshark-users] Intermittent Performance Problems on
>>> Intranet
>>> >
>>> >
>>> >
>>> > Hi, I'm a newbie to Wireshark :)
>>> >
>>> >
>>> >
>>> > Our users on our Intranet are stating that their Web Application can
>>> get
>>> > slow at times. If we run Wireshark on the Web server can we use it to
>>> > determine if the packets are being slowed down once they have gotten
in
>>> the
>>> > Web server (ie, slow database calls, etc.) versus outside of the Web
>>> server
>>> > on the network?
>>> >
>>> >
>>> >
>>> > Thanks,
>>> >
>>> > spiroc
>>> >
>>> >
>>> >
>>> > -------------- next part --------------
>>> > An HTML attachment was scrubbed...
>>> > URL:
>>> >
>>>
>>>
http://www.wireshark.org/lists/wireshark-users/attachments/20081106/7832f296
>>> > /attachment.htm
>>> >
>>> > ------------------------------
>>> >
>>> > _______________________________________________
>>> > Wireshark-users mailing list
>>> > Wireshark-users@xxxxxxxxxxxxx
>>> > https://wireshark.org/mailman/listinfo/wireshark-users
>>> >
>>> >
>>> > End of Wireshark-users Digest, Vol 30, Issue 11
>>> > ***********************************************
>>> >
>>> > _______________________________________________
>>> > Wireshark-users mailing list
>>> > Wireshark-users@xxxxxxxxxxxxx
>>> > https://wireshark.org/mailman/listinfo/wireshark-users
>>> >
>>> >
>>>
>>>
>>>
>>> --
>>> Regards, Martin
>>>
>>> MartinVisser99@xxxxxxxxx
>>>
>>>
>>> ------------------------------
>>>
>>> Message: 4
>>> Date: Mon, 10 Nov 2008 10:33:58 +0000
>>> From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
>>> Subject: Re: [Wireshark-users] Not need to save packet data
>>> To: "adisak@xxxxxxxxxxx" <adisak@xxxxxxxxxxx>, Community support list
>>> for Wireshark <wireshark-users@xxxxxxxxxxxxx>
>>> Message-ID: <3B15585E-4FAD-4399-ADF9-A4C85A46D86F@xxxxxxxxx>
>>> Content-Type: text/plain; charset="utf-8"
>>>
>>> Hi,
>>>
>>> Since Wireshark is intended for deep level packet inspection this may
>>> not be the right tool for you. Have a look at the tools page on the
>>> wiki, for instance at ntop.
>>>
>>> Thanx,
>>> Jaap
>>>
>>> Sent from my iPhone
>>>
>>> On 10 nov 2008, at 01:34, "Adisak" <adisak@xxxxxxxxxxx> wrote:
>>>
>>> > Hi all,
>>> >
>>> > I?m very new for Wireshark.
>>> >
>>> >
>>> >
>>> > I?ve download and used Wireshark on a few day ago.
>>> >
>>> > I?ll use Wireshark in my company for check the traffic of proxy serv
>>> > er.
>>> >
>>> > But, I?d like to collect only Time, IP address both source and Desti
>>> > nation, Protocol type and information only.
>>> >
>>> > Not need to save packet data, Because log file will growth big in a
>>> > shortly time.
>>> >
>>> > I?ve try to setting Wireshark for from 2 days ago but I can?t.
>>> >
>>> > Anyone have an idea for my question?
>>> >
>>> >
>>> >
>>> > P.S. I used Wireshark on windows.
>>> >
>>> >
>>> >
>>> > Best Regards,
>>> >
>>> > Adisak
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > Wireshark-users mailing list
>>> > Wireshark-users@xxxxxxxxxxxxx
>>> > https://wireshark.org/mailman/listinfo/wireshark-users
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>> URL:
>>>
>>>
http://www.wireshark.org/lists/wireshark-users/attachments/20081110/2e610c78
>>>
0081110/2e610c78/attachment.htm>
>>>
>>> ------------------------------
>>>
>>> _______________________________________________
>>> Wireshark-users mailing list
>>> Wireshark-users@xxxxxxxxxxxxx
>>> https://wireshark.org/mailman/listinfo/wireshark-users
>>>
>>>
>>> End of Wireshark-users Digest, Vol 30, Issue 17
>>> ***********************************************
>>>
>>> _______________________________________________
>>> Wireshark-users mailing list
>>> Wireshark-users@xxxxxxxxxxxxx
>>> https://wireshark.org/mailman/listinfo/wireshark-users
>>>
>>>
>>
>>
>> --
>> Regards, Martin
>>
>> MartinVisser99@xxxxxxxxx
>>
>
>
>
> --
> Regards, Martin
>
> MartinVisser99@xxxxxxxxx
>
--
Regards, Martin
MartinVisser99@xxxxxxxxx
-------------- next part --------------http://www.wireshark.org/lists/wireshark-users/attachments/20081112/d15ae00e
An HTML attachment was scrubbed...
URL:
/attachment.htmEnd of Wireshark-users Digest, Vol 30, Issue 27
------------------------------
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users
***********************************************
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users
--
Regards, Martin
MartinVisser99@xxxxxxxxx
- References:
- Re: [Wireshark-users] Intermittent Performance Problems
- From: Cyril Spiro
- Re: [Wireshark-users] Intermittent Performance Problems
- Prev by Date: Re: [Wireshark-users] Intermittent Performance Problems
- Next by Date: [Wireshark-users] [Urgent ] Need pcap file
- Previous by thread: Re: [Wireshark-users] Intermittent Performance Problems
- Next by thread: Re: [Wireshark-users] Intermittent Performance Problems - part 2
- Index(es):