presentation title presentation date - wireshark · •worked example –get into some packets ......
TRANSCRIPT
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
SharkFest'17 USWorkflow-based Analysis of Wireshark Traces
Paul OffordProject Leader, TribeLab
Now we can all be experts
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
Agenda
• Recurring Gray Problems
• Principles and objectives of our approach
• Performance problem scenarios
• Performance analysis concepts
• Analysis strategy
• Worked example – get into some packets
• Q&A
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
The Issue
Recurring
Gray
Problem
It keeps happening
The causing technology is unknown
PerformanceError
Incorrect output
“It must be
the network”
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
The Challenge
Recurring
Gray
Problem
Ongoing
Problem
• Static cause
• Recreate
• Short capture
• Easy analysis
• Transient cause
• Can’t recreate
• Long-term capture
• Challenging analysis
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
Analysis Principles
We look at one symptom at a time
We study a specific instance of that symptom
We capture live problems
Produce irrefutable evidence of the cause
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
Analysis Objective
WAN Server
Server
Server
AA
PCWAN
Accel
WAN
Accel
A
A
1.0s
0.2s 0.2s0.3s 0.1s
0.4s
12.8s
User
experiences
15s
response time
APacket capture units
(dumpcap, NetShark, etc.)
The problem
is here
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
Incre
asin
g T
ime o
f Day
Process-to-Process Communication
Web ServerBrowser
Network
Application
Request
Application
Response
Serv
ice
Tim
e
AP
DU
Response
Tim
eNB: Application
messages
(APDUs) not
packets
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
Client-Service Chains
Web Server
Fileserver
Browser
NetworkC CS
S
DatabaseC
S
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
Slow Response – Scenario 1
Web ServerBrowser
Network
Database
9.8 s
9.3 s
10 s
APDU Req
APDU Rsp
APDU Req
APDU Rsp
APDU Req
APDU Rsp
Mouse Click
Page
Rendered
0.1 s 0.4 s 9.4 s
0.1 s
9.9 s
0.1 s
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
Slow Response – Scenario 2
Web ServerBrowser
Network
Database
9.8 s10 s
APDU Req
APDU Rsp
APDU Req
APDU Rsp
APDU Req
APDU Rsp
Mouse Click
Page
Rendered
0.1 s 9.6 s 0.2 s
0.1 s
9.9 s
0.1 s
0.1 s
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
Slow Response – Scenario 2b
Web ServerBrowser
NetworkData
base
9.8 s 9.2 s10 s
APDU Req
APDU Rsp
APDU Req
APDU Rsp
APDU Req
APDU Rsp
Mouse Click
Page
Rendered
0.1 s 0.4 s
0.2 s
0.1 s
9.9 s
0.1 s
0.1 s
APDU Req
APDU Rsp
Web
Svc
9.2 s
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
Slow Response – Scenario 3
Web ServerBrowser
Network
Database
0.6 s
10 s
APDU Req
APDU Rsp
APDU Req
APDU Rsp
APDU Req
APDU Rsp
Mouse Click
Page
Rendered
9.3 s 0.2 s 0.4 s
0.1 s
0.7 s
0.1 s
0.1 s
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
Slow Response – Scenario 4
Web ServerBrowser
Network
Database
0.6 s
10 s
APDU Req
APDU Rsp
APDU Req
APDU Rsp
APDU Req
APDU Rsp
Mouse Click
Page
Rendered
0.1 s 0.2 s 0.4 s
0.1 s
9.9 s
9.3 s
0.1 s
Retransmissions
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
Multi-tier Correlation
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
APDU vs. PacketsRequest APDU
Response APDU
tcp.port==80 && tcp.len>0
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
Response Time Element (RTE) Model
Web ServerBrowser
Network
Database
Mouse Click
Page
Rendered
ClientTime Service Time
Request Spread
Response Spread
APDU Response Time
APDU Req – Part aAPDU Req – Part b
APDU Req – Part cAPDU Req – Part d
APDU Rsp – Part αAPDU Rsp – Part β
APDU Rsp – Part γ
Data Packetstcp.len>0
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
TRANSUM and RTE
• TRANSUM is a Wireshark plugin
• Standard in Wireshark 2.4 (mid-late July)
• TribeLab Plugin for Wireshark 2.2
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
RTE Data
TRANSUM
adds a new
decode section
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
RTE Summary
• APDU Response Time• Client perspective
• Big number = There‘s a problem
• Service Time• Service perspective
• Big number = There‘s a problem with the service
• Spread Time• Network perspective
• Big number = There‘s a problem with the network
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
Simple Analysis Strategy
• No high APDU Response Times• Problem in the client program
• High Service Time• Confirm with matching traces
• Translate data into something meaningful to service owner
• Hit the service owner with the facts
• High Spread Time• Focus in the problem time frame
• Use techniques a la Betty, Chris, Hansang, Jasper, Kary, Laura, etc.
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
Before we continue…
Questions?
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
Introducing
Workbench
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
Workbench
•Any data
•Any tool
•Expert guidance
• In dev - Free trial
•FOC Community
Edition
•Large volume
filtering
•Marker finder
•Transformation
•Packet matching
•Side-by-side
analysis
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
Workbench
Main Features
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
Workflows
• Model work practices
• Adds context
• Adapts
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
Sharing Workflows
Library
Community
TribeLab
3rd Parties
• Private
• Private and shared with colleagues
• Public
In
Development
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
Now for the Main Course
Use Case
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
Video
The Symptom
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
Configuration
Database
Browser
IE
MS-SQL
Network App/Web
Server
192.168.10.81
192.168.3.78
IIS
File ServerSMB2
192.168.3.79
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
And now…
Analyze the Data
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
tcp.len = 588 bytes
tcp.len = 1,460 bytes
tcp.len = 5,120
TCP Segmentation Offload (TSO)
PC or
Server
Process
EthernetSwitch PC or Server
NIC
TCP
IPEth
tcp.len = 1,460 bytes
tcp.len = 1,460 bytes
tcp.len = 1,460 bytes
tcp.len = 740 bytes
tcp.len = 1,460 bytes
tcp.len = 588 bytes
TCP
IPDrv
Without
Large Receive Offload
(LRO)
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
Summary• Recurring gray problems – “It’s the network”
• Analyzing the packet volumes is challenging
• Markers help a lot – see Matthew York, SF16
• Most applications - Request-Response pattern
• TRANSUM allows top-down performance analysis
• Workflow approach - fast, accurate & consistent
• Workbench platform allows sharing of workflows
SharkFest'17 US • Carnegie Mellon University • June 19-22, 2017
Contact
• Paul Offord
• P +44 (0) 1279 211 668
• W www.tribelab.com
• T @paulofforda7
Contact