• Telecommunications Consulting

    Telecommunications Consulting

    Consulting Services from Network Design to Project Management Read More
  • Internetworking Training Experts

    Internetworking Training Experts

    Click on Training and then Courses. Read More
  • Wireshark Experts

    Wireshark Experts

    Packet analysis expertise is critical in today's networks, and being able to use the best packet analyzer application is a skill we can help you and your team attain. Read More
  • Are you a Network Scientist?

    Are you a Network Scientist?

    Online Learning, Instructor Led in person or Web-based delivery. Check out our online school. Read More
  • Online Certification Training

    Online Certification Training

    Find out about our Network Self Certification Program for Rural Service Providers here! Read More
  • IPv6 Experts

    IPv6 Experts

    Along with other Internet regions, ARIN is out of IPv4 Addresses. Are you IPv6 fluent? Are you IPv6 ready? Read More
  • Enabling the IoT with Wireless

    Enabling the IoT with Wireless

    Without wireless, we cannot have the Internet of Things. Read More
  • MPLS Book for iPad and iPhone

    MPLS Book for iPad and iPhone

    Get Mr. Walding's book here! Read More
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8

Welcome to CellStream, Inc. - Telecom Consulting and Training!

Welcome to our home on the Internet, where we can not only share information, but also interact with each other.

If you are a visitor to the site, there are a number of things to view:

Registered CellStream folks and our clients will log in using their private credentials to access projects, calendars and discussions.

Thanks for visiting! We always welcome comments and suggestions.

The CellStream Team

Sometimes troubleshooting in Wireshark is easy-ish, you find a missbehaving protocol behavior or pattern or even a bad packet, sometimes it is tricky and takes a while to find something, and sometimes it is as clear as mud. 

For that reason you always have to approach Wireshark analysis as an evidence gathering process: making note of what you are finding and what you are thinking.  I like to capture screen shots as I work and take notes in Evernote (but you could use anything similar).

What we have below is, thanks to one of our students, a capture done at a single Access Point Wi-Fi network.  Troubleshooting it was clear as mud.  The user was complaining that the network was running slow - "slow Internet".

A capture was done using Microsoft NetMon using a Windows machine to see the wireless packet data.  You can read my article on this here.

Side Note:  Using Microsoft NetMon creates .cap files.  
Normally Wireshark has no issue processing these. 
However, when you use NetMon to put the Wireless adapter into monitor mode,
NetMon uses special wireless headers, not the standard Radiotap headers. 
Wish this were not true, but they do. 
The result is that while you can open the .cap file in Wireshark,
you cannot Export or Save it at the time this article is written.
This also means that anonymizing the file is not possible.
So the capture can't be shared. Sorry!
Here is how my brain worked as I analyzed the capture:
 
1.  I started where I always start - I clicked on Analyze> Expert Info and got this:
realworld1
 
Lots of error and warnings.  The Checksum errors can be ignored.  Not sure why the tag length is an issue - it is only in the vendor specific area of the LAN management frame.  Could be a decoding issue, not sure.  It would be interesting to know if these go away if we can get to the bottom of the issue.
 
2. ICMP Errors - no responses to pings - these all seem to be going to 8.8.8.8 but no answer is heard.  First - I love to see these in a capture - it is a way of baselining the connection and provides vital evidence.  So the WLAN side looks OK, but indicates possible issue on exit to WAN side.
 
3. TCP session resets - there are more than usual.  This is on port 443 (SSL).  An SSL problem?, doubt it at this point.
 
4.  There are a ton of retransmission bits being detected:
realworld2
 
Wow - this is heavy collisions or missing ACKs.  I filtered for just these packets.  The source is the Comtrend (which I note from the beacon frames - this is the AP), and these are all in the 5GHz channel:
 
realworld3
 
That tells me that the AP could not hear the ACKs from the Station in the 5GHz range.  A common problem - meaning that the station can hear the AP but not vice versa.  All these retransmission will result in slow throughput by impacting any TCP session.
 
5.  The next notes indicate - sure enough - a ton of TCP duplicate ACK's:
realworld4
 
Duplicate ACK's are when TCP sessions essentially are banging against their retransmission timeouts - meaning they ACK'ed and sent something, and did not hear from the other side, so they resend the ACK, assuming that their previous ACK was lost.  To me, this looks like the result of all those Layer 2 retransmissions.  I would also throw in the TCP resets into this thought.
 
6.  I note that when we see the wireless data rate - it is running at 6Mb/s:
realworld5
 
And that stays consistent, so the news is good there, though it could be better.
 
With those pieces of evidence, I cannot rule out the wireless side because of all those retransmissions, indicating that the station can hear the AP but the AP is struggling to hear the station.  Further there appears to be problems converting from the WLAN to the LAN/WAN side of things.  This would indicate an AP problem perhaps, so swapping the AP makes sense.
 
This was, as I said, clear as mud.  However, swapping the AP worked.
 
I hope you find this interesting and educational.

 

Comments powered by CComment

Our Latest Content

  • My Traceroute in Linux

    Since we published the Linux Networking Commands article in October 2017, I have had several comments that I should have

    Read More
  • Testing/Baselining DNS Server Performance

    As a follow on to our DNS In Depth article, we wanted to provide a reference to a great tool.

    Read More
  • Using Ansible for Network Automation

    Ansible is a tool used to automate Server provisioning and network provisioning.  Ansible is completely free!  You can dive deep

    Read More
  • How Support Should Not Happen

    The term "Support" can be used as a noun or a verb.  To the right is the definition we found

    Read More
  • Is there a lot of QUIC in your Packet Captures?

    Have you noticed a lot of QUIC protocol in your packet captures?  I certainly have, and we had better talk

    Read More
  • 1
  • 2
  • 3
  • 4

Our Most Popular Articles

  • What is the 'arp' command, and how can I use it?

    ARP stands for Address Resolution Protocol.  This protocol is used by network nodes to match IP addresses to MAC addresses. 

    Read More
  • Neighbor Discovery (ND) Table in IPv6 Windows, Linux and MAC Machines

    A great question I was asked in class was: "If Neighbor Discovery processes have replaced ARP in ICMPv6, how do

    Read More
  • How do I reset my "Default" profile in Wireshark?

    This is a commonly asked question that usually results from users learning the can have different profiles after they have

    Read More
  • IPv6 Windows Command Line Examples

    Here are some great Windows command line entries you can make to examine and configure IPv6 (assuming your version of

    Read More
  • A List of Network Monitoring Tools for Network and System Administrators

    Monitoring, analyzing, managing, and diagraming a network can often be a huge problem for Network and System Administrators.  They are

    Read More
  • 1
  • 2
  • 3
  • 4

Subscribe to our Newsletter!

Our Tag Cloud

4G Networks 6LoWLAN 6LoWPAN 802.11 802.11ah 802.11ax 802.11ay 802.11az Ad-Hoc Addressing Airlines Analysis Ansible Apple Architecture ARP Assessment ATM AToM Automation Baseline BGP Billing Bloom's Taxonomy Bluehost BPF Briefings Cable Capture Filter CellStream Cellular Central Office Cheat Sheet Chrome Cisco Click Model Cloud CMD Company Policy Computer Consulting Data Center Data Networking Decryption Dependencies DHCPv6 dig Display Filter DNS Documentation Earth Earthquakes Ethernet Ethics Etiquette Evaluation Filter Five Monkey Rule G-MPLS Gauge GNS3 Google Hands-On Hiring History Home Network HTTPS ICMP ICMPv6 IEEE 802.11p IEEE 802.15.4 India Internet IoT IPv4 IPv6 IRINN IS-IS L2VPN L3VPN LDP LifeNet Linux LLN LoL M-BGP MAC Macro Management Microsoft Milky Way mininet Monitoring MPLS mtr Multicast Murphy Netcat NetMon netsh Networking nmap nslookup Observations OLPC Online School OpenFlow OSPF OSPFv2 OSPFv3 OSX OTT Personnel Policy POTS POTS to Pipes PPP Profile Project Management PW3E QoS QUIC Railroad Remote Desktop Requirements Review RIP Routig Routing RPL RSVP Rural Scanning SDN Security Service Provider Small Business SONET Spam Speed SS7 SSL Status Storms Subnetting Support T-Shark TCP TCP/IP Telco Telecom 101 Telecommunications Telephone Testing TLS Tools Traceroute Traffic Engineering Training TRANSUM Travel Tunnel Ubuntu Utility Video Virtualization VoIP VRF Wi-Fi Windows Wireless Wireless 5G Wireshark WLAN ZigBee

Our Twitter Feed

SiteLock