Re: Troubleshooting slow network

[Cheikhou Dramé <dramecheikhou () gmail com>]

Le 02/12/2012 22:03, Martin Visser a écrit :
> Just to be clear, 2 packets, 1ms apart IS 1000 pps - just not 
> typically valid for extrapolation that might make you t think the 
> network is busy
>
> Regards, Martin
>
> MartinVisser99 () gmail com <mailto:MartinVisser99 () gmail com>
>
>
> On 3 December 2012 08:59, Martin Visser <martinvisser99 () gmail com 
> <mailto:martinvisser99 () gmail com>> wrote:
>
>     Cheikhou,
>
>     A couple of things.
>
>     1. The packets per second column is an anomaly in this case. You
>     only have a few packets (most show 2). So the calculation of pps
>     is really going to be skewed here. (2 packets very close to each
>     other, say 1ms apart, would be interpreted as 1000 pps - clearly
>     not right).
>     2. This isn't going to tell you anything about Internet usage. You
>     are only seeing the "leaked" traffic from multicasts to your port.
>      You will need to get someway of getting the traffic on the
>     Internet link. There are a few switches available for only a few
>     hundred dollars that can do port-mirroring. Another way is to set
>     up a PC (Linux is best) in bridge mode, and run Wireshark on this
>     as it sees the traffic go by.
>
>     Regards, Martin
>
>     Regards, Martin
>
>     MartinVisser99 () gmail com <mailto:MartinVisser99 () gmail com>
>
>
>
>     On 3 December 2012 00:57, Cheikhou Dramé <dramecheikhou () gmail com
>     <mailto:dramecheikhou () gmail com>> wrote:
>
>         Le 02/12/2012 04:04, Martin Visser a écrit :
> >         Multicast on UDP port 1900 will be SSDP or now known as UPnP,
> >         Universal Plug and Play. This is just a control protocol used
> >         to discover services on the network. The traffic you see
> >         might be PC or the like advertising they have Audio/Video
> >         available, or your router advertising that a PC can use it to
> >         open up it's firewall (for games/bittorent etc).
> >
> >         As it is really just a control protocol, not for sending
> >         actual data payloads, 15K packets/sec seems very high. Are
> >         you sure this is correct. You can identify the source from
> >         the source address - which will be unique on your network -
> >         or probably in the packets themselves. (You might need to set
> >         UDP port 1900 to be decoded as SSDP).
> >
> >         When you say the network is "slow" you need to be more
> >         specific. Is this only to/from the Internet or also LAN to LAN?
> >
> >         Also don't forget that when you do a Wireshark capture on
> >         just a regular switch port - you will ONLY see your own
> >         traffic and multicast/broadcast traffic. Hence you might not
> >         be seeing the greater proportion of traffic in your network.
> >         To this you need to enable port-mirroring on your switch and
> >         use Wireshark in promiscuous mode.
> >
> >         Regards, Martin
> >
> >         MartinVisser99 () gmail com <mailto:MartinVisser99 () gmail com>
> >
> >
> >         On 1 December 2012 04:43, Cheikhou Dramé
> >         <dramecheikhou () gmail com <mailto:dramecheikhou () gmail com>> wrote:
> >
> >             port 1900
> >
> >
> >
> >         thanks for your reply. My switches can't do port-mirroring.As
> >         seen in the file i have join , you can see the traffic wich
> >         i'm talking about , the network is slow just from and to  the
> >         internet.
> >
> >
> >         ___________________________________________________________________________
> >         Sent via:    Wireshark-users mailing list<wireshark-users () wireshark org>  <mailto:wireshark-users () wireshark 
> > org>
> >         Archives:http://www.wireshark.org/lists/wireshark-users
> >         Unsubscribe:https://wireshark.org/mailman/options/wireshark-users
> >                       mailto:wireshark-users-request () wireshark org?subject=unsubscribe
>
>
>         ___________________________________________________________________________
>         Sent via:    Wireshark-users mailing list
>         <wireshark-users () wireshark org
>         <mailto:wireshark-users () wireshark org>>
>         Archives: http://www.wireshark.org/lists/wireshark-users
>         Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>                      mailto:wireshark-users-request () wireshark org
>         <mailto:wireshark-users-request () wireshark org>?subject=unsubscribe
>
>
>
>
> Hello , I have setup the firewall-transparent proxy working as gateway 
> on centos 6 and used wireshark to capture 140megabits of data.The 
> files joined is the expert composite analyse resume window. I noticed  
> that most of the errors come from 2 Macbook PC running software like 
> bittorent , dropbox and my ldap/samba server wich act a PDC on my LAN. 
> I have also search in the web for more informations about that.My 
> switchs seems to be incompatible with some devices using 
> gigabit/ethernet connexions.
>
>
> __ _________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>               mailto:wireshark-users-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe