dokucama

This is an old revision of the document!

Guidelines for Investigating Latency Issues with Wireshark

Load the PCAP Files: Open Wireshark and load the provided PCAP files for both application and database endpoints.
Time Synchronisation: Ensure the clocks on both endpoints are synchronised. If not, account for any time differences when analysing traffic.

Statistics Overview: Use Statistics > Summary to get a general overview of the capture file, including the capture duration, packet count, and average packet size.
Protocol Hierarchy: Check Statistics > Protocol Hierarchy to see the distribution of protocols. This helps confirm the presence of expected HTTP and TLS traffic.

Packet Loss: Look for signs of packet loss. Go to Statistics > Conversations > TCP tab and check for any retransmissions, duplicate ACKs, or triple duplicate ACKs.
TCP Window Size: Analyse the TCP window size to ensure it's not causing bottlenecks. Use Statistics > TCP Stream Graphs > Window Scaling to visualise window sizes.
Fragmentation: Check for IP fragmentation which can cause delays. Apply the filter ip.flags.mf == 1 or ip.frag_offset > 0.

Identify Specific Flows: Filter specific TCP streams to focus on individual HTTP transactions. Use the Follow TCP Stream feature by right-clicking on a packet within the flow and selecting Follow > TCP Stream.
Round Trip Time (RTT): Analyse the RTT to identify latency within each stream. Use Statistics > TCP Stream Graphs > Round Trip Time.

Check Handshakes: Filter for tls.handshake to ensure handshakes are completing without excessive delays or retries. Handshake issues can indicate problems with certificate exchange or encryption setup.
TLS Record Analysis: Investigate tls.record for any records showing errors or alerts.

HTTP Requests and Responses: Use filters like http.request and http.response to isolate and examine HTTP transactions. Look at the time differences between requests and responses to identify any delays.
HTTP Response Codes: Check for any abnormal HTTP status codes (e.g., 5xx errors) which might indicate server-side issues.

Cross-Reference: Compare timestamps of key events (like requests and responses) between the application and database PCAPs. Look for mismatches or delays that might indicate where latency is introduced.

Expert Info: Use Analyze > Expert Information to view Wireshark's expert analysis on possible issues like malformed packets or protocol violations.
Custom Filters: Create custom filters for more targeted analysis based on your findings.

Packet Loss: tcp.analysis.retransmission || tcp.analysis.fast_retransmission
Window Size: tcp.window_size < 1024
Fragmentation: ip.flags.mf == 1 || ip.frag_offset > 0
TLS Handshake: tls.handshake
HTTP Requests: http.request
HTTP Responses: http.response

Document Findings: Keep detailed notes on what you find at each step, including any potential issues and timings.
Consult with Colleagues: Discuss findings with your team, especially if you need access to decryption keys or further insight into the application and database configurations.
Follow-Up Actions: Based on your findings, recommend actions such as server configuration changes, network optimisations, or further security reviews.