Back to Recording

Summary

Overview

This course session is a hands-on workshop on network traffic analysis using Wireshark, focusing on leveraging statistical tools to identify and troubleshoot network slowness in a PCAP file. The trainer guides learners through interpreting conversation statistics, IO graphs, time sequence graphs, and round-trip time (RTT) graphs to detect anomalies such as long delays, low bitrate, TCP retransmissions, and endpoint behavior. The session emphasizes practical analysis techniques, including custom filtering, graph visualization, and correlating packet-level data with high-level performance indicators. The goal is to equip learners with the ability to move beyond raw packet inspection to structured, tool-driven network diagnostics.

Topic (Timeline)

1. Introduction to Statistics Tool and Conversation Analysis [00:00:01 - 00:05:16]

  • Trainer introduces the Statistics > Conversation tool in Wireshark as a starting point for traffic analysis.
  • Learners are instructed to examine a PCAP file (“pre-lap slow network”) and identify key traffic patterns: two IP addresses (172.16.0.13 as client, 10.0.0.100 as server), TCP/HTTP protocol usage, and absence of UDP.
  • Learners are asked to observe three distinct MAC addresses for only two IP addresses, prompting investigation into potential IP conflicts or device misconfiguration.
  • Emphasis on correlating packet timing (e.g., 20-second gap between packets) with perceived application slowness (“screaming slow”).
  • Initial hypothesis: Application-level delay, not network congestion, is the root cause due to long server response time despite small data size (79 KB total).

2. Identifying Network Anomalies via Conversation Statistics [00:05:42 - 00:14:45]

  • Learners share observations: long duration (114–156 seconds), low bitrate (1737–2750 bps), and zero bytes from server to client (B→A).
  • Trainer confirms key findings:
    • Zero B→A traffic: Indicates server did not respond, suggesting firewall, routing, or application failure.
    • Low bitrate: Suggests network congestion, link limitations, or retransmissions.
    • Long duration: Incompatible with small data size, indicating application or connection stall.
  • Hypotheses for root causes: IP conflict (duplicate IPs with unique MACs), firewall filtering, network misconfiguration, or unidirectional logging.
  • Suggested troubleshooting: Validate MAC addresses, use filters (e.g., tcp.analysis.retransmission), ping/trace route to endpoint, verify endpoint rules.

3. Packet Summary and Statistical Validation [00:21:08 - 00:23:22]

  • Trainer validates total packet count (123), byte size (79 KB), and duration (156 seconds) against Conversation statistics.
  • Confirms consistency between packet list and summary views.
  • Reinforces that Conversation tool provides a high-level summary to avoid manual packet-by-packet inspection.
  • Introduces quiz to reinforce concepts from previous and current lesson.

4. Wireshark Customization and Profile Management [00:23:24 - 00:32:11]

  • Quiz questions cover:
    • Purpose of the Time column: Shows arrival time of each packet, not current time.
    • Adding custom columns: To highlight critical fields (e.g., sequence number, ACK number) for faster analysis.
    • Use of profiles: To save and reuse custom column layouts, coloring rules, and display filters.
    • Method to add custom columns: Right-click → “Apply as Column” or via Edit → Preferences → Columns.
  • Emphasizes that profiles store all user customizations (not just filters), enabling consistent analysis across sessions.

5. Introduction to IO Graphs and Traffic Pattern Analysis [00:34:12 - 00:54:43]

  • Trainer introduces IO Graphs (Input/Output Graphs) to visualize packet rate over time.
  • Key settings: 1-second interval, X-axis = time (seconds), Y-axis = packets per second.
  • Observations from IO Graph:
    • Spike (15–20s): ~50 packets/sec — indicates bursty data transfer.
    • Quiet period (25–150s): Near-zero activity — suggests connection stall or server unresponsiveness.
    • TCP errors (TCP.analysis.retransmission): Visible as spikes, indicating retransmissions, out-of-order packets, or zero-window conditions.
  • Learners are instructed to customize IO Graph with display filters (e.g., tcp.analysis.retransmission, tcp.flags.syn==1) and export as PDF/JPEG for reporting.
  • Emphasizes that IO Graphs reveal traffic behavior patterns invisible in raw packet lists.

6. Endpoints and Top Talker Identification [00:58:58 - 01:14:40]

  • Introduces Endpoints tool to identify top talkers (devices sending/receiving most data).
  • Compares Endpoints vs. Conversation: Endpoints show per-device stats; Conversation shows per-pair flows.
  • Analysis: 172.16.0.13 (client) is the most active endpoint (highest packet and byte count), despite only two IP addresses.
  • Notes: Two different MAC addresses associated with 10.0.0.100 (server) — suggests possible IP conflict or NAT/misconfiguration.
  • Alternative: Use “Destination and Ports” to see per-port traffic, but caution that it may mislead if IP conflicts exist.

7. TCP Time Sequence Graph and Sequence/Acknowledgment Numbers [01:14:42 - 01:44:06]

  • Uses TCP Time Sequence Graph to visualize data flow over time:
    • X-axis: Time (seconds)
    • Y-axis: TCP sequence number (bytes sent)
  • Key observations:
    • Steady data transfer (0–25s), then abrupt stop — server stopped sending.
    • Green lines = client ACKs; black lines = server data.
    • Server sent 68 packets (63.5 KB), client sent 55 ACKs.
  • Explains sequence number (first byte in segment) and acknowledgment number (next expected byte).
  • Analogy: Sequence number = page number in a book; ACK = “I read up to page X, send page X+1.”
  • Highlights: Large jump in sequence number (e.g., 1 → 1461) indicates packet fragmentation or retransmission due to size limits.

8. Round Trip Time (RTT) Graph and Network Stability [01:49:12 - 02:02:33]

  • Introduces RTT graph: measures time for packet to go to server and return (in milliseconds).
  • Key observations:
    • Sharp RTT spikes (22–23s): 60ms+ delays — indicates retransmission, server processing delay, or packet loss.
    • Unstable slope: Inconsistent RTT — suggests network jitter or congestion.
    • Long idle (69–114s): Client sends TCP keep-alive; server responds only after delay — indicates application hang or resource exhaustion.
  • Concludes: RTT instability + long idle + retransmissions = clear signs of network slowness and server-side issues.

9. Wrap-up and Transition to Lab [02:02:33 - 02:14:15]

  • Trainer confirms session covered: Conversation, IO Graph, Endpoints, Time Sequence, RTT.
  • Prepares learners for next session: a 10+ question lab requiring independent use of all statistical tools to diagnose issues.
  • Notes: Next session will be more interactive, with learners performing analysis and sharing findings.
  • Session ends with lunch break announcement.

Appendix

Key Principles

  • Conversation Tool: Best for identifying communication pairs (client/server) and total traffic volume.
  • IO Graph: Reveals traffic bursts, idle periods, and TCP errors over time.
  • Endpoints: Identifies top talkers; essential when IP conflicts or multiple devices share an IP.
  • Time Sequence Graph: Visualizes data flow and sequence/ACK behavior; critical for detecting retransmissions and stalls.
  • RTT Graph: Measures network latency stability; spikes indicate congestion, retransmission, or server delay.

Tools Used

  • Wireshark Statistics: Conversation, IO Graph, Endpoints, TCP Time Sequence, RTT Graph
  • Display Filters: tcp.analysis.retransmission, tcp.flags.syn==1, tcp.analysis.duplicate_ack
  • Export Formats: PDF, JPEG/PNG for reporting

Common Pitfalls

  • Confusing MAC address count with IP address count — may indicate IP conflict.
  • Misinterpreting “zero B→A” as network failure, when it may be application-level stall.
  • Overlooking the difference between sequence number (what’s being sent) and acknowledgment number (what’s been received).
  • Using “Destination and Ports” without considering IP conflicts — can lead to incorrect top talker identification.

Practice Suggestions

  • Practice customizing IO Graphs with multiple filters (e.g., TCP retransmission + HTTP) and export for reports.
  • Add sequence and ACK columns to packet list for every analysis.
  • Use “Zero” key to reset graph view during exploration.
  • Compare statistics before and after applying display filters to understand impact.
  • Simulate IP conflicts in lab environment to observe MAC/IP mismatches.