Timing, Most Important Thing is Comedy and Packet Traces Too
top of page
Search

Timing, Most Important Thing is Comedy and Packet Traces Too


In the movie “A Good Year”, young Max Skinner, spends his childhood summer holidays learning to appreciate the finer things in life at his Uncle Henry's vineyard estate in Provence in southeastern France. Uncle Henry asks the question what’s the most important thing in comedy, and as Max begins to answer, but Uncle Henry interrupts with the response “timing”. The young Max is embarrassed, but he gets it.

As in packet traces, timing plays an important role. To understand if something has gone south it good to know if things are being communicated to fast, or slow or not at all. It’s one of the first things I remember learning when starting to analyze traces. To know when things timeout or how frequent should we see broadcast packets, understanding round trip time and what’s the utilization all relate to timing. Within Wireshark I like to set the Time column to "Seconds Since Previous Displayed Packet".

Wireshark View Time Display Format Options

Troubleshooting with Gearbit and Profitap article that I wrote, one pc that’s infected with a virus that sending ARPs out every .000003 (3 microseconds) causing slow response-time, slow connecting to the network and slow telnet-sessions. You can quickly see that the Time column shows this very quickly, and indicating something is very wrong. The Key here ARP packets are being sent out a wire-speed, so fast it's creating problems for other devices to communicate.

In this next example, the Time column shows delta time, indicating the time from the displayed packet. As you examine the packets you quickly notice they are all the same packet indicated by the IP ID hex value 0x1cc3 shown in the display filter. So why is the delta time so quick? The delta time here is not as fast, or low as the previous packet trace but quicker than what we would expect. You also notice the TTL or IP time-to-live is decrementing down, indicating a routing loop.

Wireshark packet trace showing quick delta time and time to live value being repeated indications of a routing loop.

So here are a few examples of Timing, and like the young Max Skinner learning from experience.

418 views

Recent Posts

See All
bottom of page