Troubleshooting Tips and Tricks

Similar documents

T2-6: Trace File Analysis - The Elephant Coming From Behind: Full Window, Window Update and TCP Keep-Alive s

Network Security: Workshop. Dr. Anat Bremler-Barr. Assignment #2 Analyze dump files Solution Taken from

Expert Reference Series of White Papers. Troubleshooting Slow Networks with Wireshark

COMP 3331/9331: Computer Networks and Applications. Lab Exercise 3: TCP and UDP (Solutions)

Network Forensics Network Traffic Analysis

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Sample Network Analysis Report

B-2 Analyzing TCP/IP Networks with Wireshark. Ray Tompkins Founder of Gearbit

Question: 3 When using Application Intelligence, Server Time may be defined as.

TCP SYN Flood - Denial of Service Seung Jae Won University of Windsor wons@uwindsor.ca

TCP Performance Management for Dummies

Looking for Trouble: ICMP and IP Statistics to Watch

Solution of Exercise Sheet 5

How do I get to

Visualizations and Correlations in Troubleshooting

Pig Laboratory. Additional documentation for the laboratory. Exercises and Rules. Tstat Data

Troubleshooting TCP/IP Networks with Wireshark

Mobile Communications Chapter 9: Mobile Transport Layer

Transport Layer Protocols

Using IPM to Measure Network Performance

Wireshark Developer and User Conference

CSE 473 Introduction to Computer Networks. Exam 2 Solutions. Your name: 10/31/2013

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Lab Conducting a Network Capture with Wireshark

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Applications. Network Application Performance Analysis. Laboratory. Objective. Overview

TCP and Wireless Networks Classical Approaches Optimizations TCP for 2.5G/3G Systems. Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme

Attack Lab: Attacks on TCP/IP Protocols

CIT 380: Securing Computer Systems

This sequence diagram was generated with EventStudio System Designer (

Application Performance Analysis and Troubleshooting

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

Configuring TCP Intercept (Preventing Denial-of-Service Attacks)

Network and Services Discovery

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

Packet Capture and Expert Troubleshooting with the Viavi Solutions T-BERD /MTS-6000A

Network Security TCP/IP Refresher

Kepware Technologies Using Wireshark for Ethernet Diagnostics

Introduction to Network Security Lab 1 - Wireshark

Module 1: Reviewing the Suite of TCP/IP Protocols

Basic Networking Concepts. 1. Introduction 2. Protocols 3. Protocol Layers 4. Network Interconnection/Internet

TCP/IP Optimization for Wide Area Storage Networks. Dr. Joseph L White Juniper Networks

USING WIRESHARK TO CAPTURE AND ANALYZE NETWORK DATA

Life of a Packet CS 640,

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

Secure SCTP against DoS Attacks in Wireless Internet

Policy Based Forwarding

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Voice over IP. Demonstration 1: VoIP Protocols. Network Environment

Measuring IP Performance. Geoff Huston Telstra

COMP416 Lab (1) Wireshark I. 23 September 2013

Overview of TCP/IP. TCP/IP and Internet

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

CS5008: Internet Computing

Host Fingerprinting and Firewalking With hping

Lab Characterizing Network Applications

High-Speed TCP Performance Characterization under Various Operating Systems

Prefix AggregaNon. Company X and Company Y connect to the same ISP, and they are assigned the prefixes:

La couche transport dans l'internet (la suite TCP/IP)

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

19. Exercise: CERT participation in incident handling related to the Article 13a obligations

Chapter 4 Restricting Access From Your Network

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

Chapter 3 Restricting Access From Your Network

Lab Module 3 Network Protocol Analysis with Wireshark

Network support for TCP Fast Open. Christoph Paasch

ITTC Communication Networks Laboratory The University of Kansas EECS 780 Introduction to Protocol Analysis with Wireshark

Course Title: Penetration Testing: Security Analysis

Network Probe. Figure 1.1 Cacti Utilization Graph

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Large-Scale TCP Packet Flow Analysis for Common Protocols Using Apache Hadoop

DOSarrest Security Services (DSS) Version 4.0

TCP Packet Tracing Part 1

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

DOSarrest Security Services (DSS) Version 4.0

Mike Canney. Application Performance Analysis

Using TrueSpeed VNF to Test TCP Throughput in a Call Center Environment

Ignoring the Great Firewall of China

Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring Kevin Timm,

DOORKING SYSTEMS 1830 SERIES NETWORK WORKSHOP LAN APPLICATIONS ACCESS CONTROL SOLUTIONS LOCAL AREA NETWORK (LAN) CONNECTION REV 04.

IP Filter/Firewall Setup

1. MOXA NPort Express TCP/IP to RS-232 server

I3: Maximizing Packet Capture Performance. Andrew Brown

Chapter 8 Security Pt 2

Application-Centric Analysis Helps Maximize the Value of Wireshark

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

JUNOS DDoS SECURE. Advanced DDoS Mitigation Technology

Lab Exercise Objective. Requirements. Step 1: Fetch a Trace

tcpcrypt Andrea Bittau, Dan Boneh, Mike Hamburg, Mark Handley, David Mazières, Quinn Slack Stanford, UCL

Computer Networking LAB 2 HTTP

How To Protect A Dns Authority Server From A Flood Attack

Customer Tips. Network Packet Analyzer Tips. for the user. Purpose. Introduction to Packet Capture. Xerox Multifunction Devices.

TCP/IP Networking for Wireless Systems. Integrated Communication Systems Group Ilmenau University of Technology

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

Transcription:

Troubleshooting Tips and Tricks for TCP/IP Networks June 16, 2011 Laura Chappell Founder Chappell University/Wireshark University laura@chappellu.com SHARKFEST 11 Stanford University June 13 16, 2011

The Top 10 Issues 1. Packet loss 2. Client, server and wire latency 3. Window scaling issues (RFC 1323) 4. Service response issues and application behavior 5. Network design issues (wired/wireless) 6. Path issues (such as QoS) 7. Itty Bitty Stinking Packets (Low MSS Value) 8. Fragmentation 9. Timing problems 10. Interconnecting devices copyright chappellseminars.com

Hot Tips for TCP/IP Troubleshooting Build a troubleshooting profile* Recolor Window Update packets to green background (should not be Bad TCP coloring) Filter on ports, not protocols (e.g., use tcp.port==80 rather than http) Always watch the time column some networking is just ugly Watch for both Retransmissions and Fast Retransmissions in the Expert** * See Laura s Lab Kit v10 ** as noted in the session filter on tcp.analysis.retransmissions will show both standard and fast retransmissions!

Hot Tips for TCP/IP Troubleshooting Recognize a short TCP handshake data is contained in the third handshake packet Expand the Conversation window to view Duration Enable TCP Conversation Timestamps (TCP protocol setting) column? Click through the IO Graph Don t troubleshoot red herrings Know the definition of each TCP analysis flag Watch the handshakes! * See Laura s Lab Kit v10

Your TCP/IP Troubleshooting Profile ISO image online at lcuportal2.com SHARKFEST 11 Stanford University June 13 16, 2011

The All Important Handshake Focus on: Window Size Options

TCP Options www.iana.org/assignments/tcp parameters/tcp parameters.xml

The Ideal Handshake MSS is decent size Window Scaling is enabled and shift factor is OK (watch out for a shift factor of 0) SACK is enabled Timestamp is on for high speed links (PAWS) Taken at client, the RTT is acceptable

PAWS (RFC 1323) Protection Against Wrapped Sequence Numbers

The Problem Handshake #1 Switch Router MSS 1460 WinScale x4 SACK MSS 1460 WinScale x1 SACK Mike

The Problem Handshake #1 Uh oh only 500 bytes receive buffer space Your I ll stop WinScale sending x1 Switch Router Ack WinSize: 500 (x4) Mike WinScale x4

The Problem Handshake #2 MSS 1460 WinScale x4 (You don t SACK so I won t either) Switch Router MSS 1460 WinScale x4 SACK MSS 1460 WinScale x4 Mike

Let s Analyze a Problem 10.3.8.209 NAT/Firewall Load Balancer 10.3.8.109 10.0.61.179 Mike 10.10.10.1

Let s Analyze a Problem tcp-problem-pointa.pcap tcp-problem-pointc.pcap NAT/Firewall Load Balancer Mike tcp-problem-pointb.pcap

Connection at Point A SYN SYN/ACK NAT/Firewall Load Balancer Mike

Connection at Point B SYN SYN/ACK NAT/Firewall Load Balancer Mike

Connection at Point C SYN SYN/ACK NAT/Firewall Load Balancer Mike

The Beliefs NAT/Firewall My WinScale x256 131,840 bytes Mike

The Beliefs Switch NAT/Firewall Switch Your WinScale x1 515 bytes available Mike

What About this Issue?

Use Wireshark TCP Analysis Flags tcp.analysis.flags tcp.analysis.lost_segment tcp.analysis.retransmission tcp.analysis.fast_retransmission tcp.analysis.duplicate_ack tcp.analysis.out_of_order tcp.analysis.window_full tcp.analysis.zero_window

BTW: TCP Preferences Change Change to relative sequence numbers setting

BTW: Using a Heuristic Dissector EtherType = 0800 (IP) IP: Type = 6 (TCP) TCP: Port = 80 (HTTP) HTTP Dissector

Coloring Rules Questions? laura@chappellu.com (download the ISO of LLK10 at lcuportal.com)