===== Guidelines for Investigating Latency Issues with Wireshark ===== ==== Initial Setup ==== * **Load the PCAP Files**: Open Wireshark and load the provided PCAP files for both application and database endpoints. * **Time Synchronisation**: Ensure the clocks on both endpoints are synchronised. If not, account for any time differences when analysing traffic. ==== General Analysis ==== * **Statistics Overview**: Use ''Statistics > Summary'' to get a general overview of the capture file, including the capture duration, packet count, and average packet size. * **Protocol Hierarchy**: Check ''Statistics > Protocol Hierarchy'' to see the distribution of protocols. This helps confirm the presence of expected HTTP and TLS traffic. ==== Initial Checks ==== * **Packet Loss**: Look for signs of packet loss. Go to ''Statistics > Conversations > TCP'' tab and check for any retransmissions ''tcp.analysis.retransmission'', duplicate ACKs, or triple duplicate ACKs. * **TCP Window Size**: Analyse the TCP window size to ensure it's not causing bottlenecks. Use ''Statistics > TCP Stream Graphs > Window Scaling'' to visualise window sizes. * **Fragmentation**: Check for IP fragmentation which can cause delays. Apply the filter ''ip.flags.mf == 1'' or ''ip.frag_offset > 0''. ==== Detailed Flow Analysis ==== * **Identify Specific Flows**: Filter specific TCP streams to focus on individual HTTP transactions. Use the ''Follow TCP Stream'' feature by right-clicking on a packet within the flow and selecting ''Follow > TCP Stream''. * **Round Trip Time (RTT)**: Analyse the RTT to identify latency within each stream. Use ''Statistics > TCP Stream Graphs > Round Trip Time''. ==== TLS Handshake Analysis ==== * **Check Handshakes**: Filter for ''tls.handshake'' to ensure handshakes are completing without excessive delays or retries. Handshake issues can indicate problems with certificate exchange or encryption setup. DO this: ''tls.handshake'' + ''Statistics > I/O Graphs'' to visualize the handshake durations over time. * **TLS Record Analysis**: Investigate ''tls.record'' for any records showing errors or alerts. ==== Application Layer Checks ==== * **HTTP Requests and Responses**: Use filters like ''http.request'' and ''http.response'' to isolate and examine HTTP transactions. Look at the time differences between requests and responses to identify any delays. * **HTTP Response Codes**: Check for any abnormal HTTP status codes (e.g., 5xx errors) which might indicate server-side issues. ==== Correlate Data Between Endpoints ==== * **Cross-Reference**: Compare timestamps of key events (like requests and responses) between the application and database PCAPs. Look for mismatches or delays that might indicate where latency is introduced. ==== Advanced Analysis (if necessary) ==== * **Expert Info**: Use ''Analyze > Expert Information'' to view Wireshark's expert analysis on possible issues like malformed packets or protocol violations. * **Custom Filters**: Create custom filters for more targeted analysis based on your findings. ==== Example Filters to Use ==== * **Packet Loss**: ''tcp.analysis.retransmission || tcp.analysis.fast_retransmission'' * **Window Size**: ''tcp.window_size < 1024'' * **Fragmentation**: ''ip.flags.mf == 1 || ip.frag_offset > 0'' * **TLS Handshake**: ''tls.handshake'' * **HTTP Requests**: ''http.request'' * **HTTP Responses**: ''http.response'' ==== Final Steps ==== * **Document Findings**: Keep detailed notes on what you find at each step, including any potential issues and timings. * **Consult with Colleagues**: Discuss findings with your team, especially if you need access to decryption keys or further insight into the application and database configurations. * **Follow-Up Actions**: Based on your findings, recommend actions such as server configuration changes, network optimisations, or further security reviews.