Packet Foo | Analyzing network packets since 2003

How millisecond delays may kill database performance

Jasper
18/9/2014
Coding, Packet Capture, TCP Analysis, Wireshark
12 Comments

Mike, an old buddy of mine is one of the best database application development consultants I have ever met. We worked together for the same company for a couple of years before I got into network analysis and he started his own company. A couple of months ago I found out that there was going to be a conference in my home town where Mike was on the organization team. After a friendly banter on Twitter about him having to come to my city (Düsseldorf; which guys from Cologne like Mike don’t like ;-)) he told me that I should turn in a proposal for a talk. I said I could do that, but not on any database development topic – but maybe a generic network application performance talk might be interesting for those guys attending. So I did, and it got refused, despite Mike advocating for me. Darn.

Well, it’s a nice topic for a blog post nonetheless. So here we go.

The trouble with multiple capture interfaces

The PCAPng file format

Starting with Wireshark 1.8, the old PCAP format was replaced by PCAPng as the new default file format for packet captures. I have to admit that I may be one of the people to blame for this – at the end of Sharkfest 2011 we had a panel discussion with Gerald and some other guys when the topic of PCAPng support came up.

TCP Expert Updates in Wireshark 1.12

Wireshark 1.12 has just arrived, and of course the first thing to do is to download and install the new version. The second thing to do should be to read the release notes.Nobody seems to do it, but everybody should. Okay, before I get to the TCP expert thing, let’s see why release notes are important.

Determining TCP Initial Round Trip Time

I was sitting in the back in Landis TCP Reassembly talk at Sharkfest 2014 (working on my slides for my next talk) when at the end one of the attendees approached me and asked me to explain determining TCP initial RTT to him again. I asked him for a piece of paper and a pen, and coached him through the process. This is what I did.

Wireshark File Storage

Sometimes it is important to know how Wireshark captures packets, and when it is writing them to disk. One of the common questions is “how can I avoid writing packets to disk, and just capture them in memory?”.

Sharkfest 2014 Recap

Sharkfest 2014 is over, and once again it was an amazing conference. It was probably the best of them for me, for a number of reasons:

The drawbacks of local packet captures

Probably the most common way of capturing network data is not a decision between SPAN or TAP – it is Wireshark simply being installed on one of the computers that need to be analyzed. While this an easy way to capture network packets it is also an easy way to get “wrong” results, because there are a lot of side effects when capturing packets directly on a computer. I discussed a lot of these side effects in my Sharkfest 2013 talk “PA-14: Top 5 False Positives” already, but let’s go check them out again.

TCP Server slamming the door

After doing a lot of analysis sessions on TCP connections there are some patterns that you see again in a trace every once in a while. And often it comes in handy to remember what the situation was and what the circumstances were that led to the trace showing what it did.

IPv6 DHCP flood

A few days ago I took a capture for some reason and saw something unexpected that had nothing to do with what I wanted to check: there were tons and tons of DHCPv6 packets trying to renew an IPv6 address in a never ending stream of packets, and really fast, too.

A creative way of refusing connections

A few days ago, Olli, one of our team members, sent me a funny trace that he’d taken while configuring the security settings on a Netoptics Bypass kit. This device has an SNMP and HTTP management service, and when he disabled the HTTP service he verified if the setting was accepted (like you should). Usually, there would either be a Reset packet coming back when a SYN is sent, or no answer at all. To his surprise, the device behaved a little different than expected.

3 456 7

How millisecond delays may kill database performance

The trouble with multiple capture interfaces

The PCAPng file format

TCP Expert Updates in Wireshark 1.12

Determining TCP Initial Round Trip Time

Wireshark File Storage

Sharkfest 2014 Recap

The drawbacks of local packet captures

TCP Server slamming the door

IPv6 DHCP flood

A creative way of refusing connections

Downloads

Recent Comments

Recent Posts

Archives

Meta

Rechtliches