Troubleshooting latency by capturing traffic

When someone has network issues such as high latency, packet loss or high jitter I always like using Wireshark and Tcpdump for capturing traffic. I still remember when I learnt how to use it at University. It was my fourth year studying IT engineering. I also learnt about the TCP Window and the network congestion-avoidance algorithm. When we use Wireshark to analyze a packet capture, it’s important to know the flags, the TCP messages and the connection states to understand and optimize TCP performance.

One of the TCP flags, which is really useful, is the TCP Window Full. If a sender transmits a packet which is filling the recipient’s receive window, Wireshark will report this message. It means the sender is reaching the full capacity of the TCP flow, which is limited by the receiver. However, the network may have higher capacity. For instance, there are older operating systems and less powerful devices that have small TCP buffers which can be increased. On the other hand, systems such as F5 BIG-IP allows us to configure the Send Buffer and Receive Window settings easily from GUI.

TCP Window Full

Another interesting flag that we can see when there are performance issues is the TCP Zero Window. This flag is used to tell the TCP sender to stop sending traffic due to the fact that the receiver’s buffer is full. Therefore, the sender is delivering traffic faster than the receiver can process it. If a device advertises Zero Window, we should check the peer flow which usually indicates that throughput is limited by the peer flow. We should also check the system performance because if it is heavily loaded, the system itself can introduce delay.

TCP Zero Window

There is another TCP flag that we can often see when we analyze a packet capture. The TCP Retransmission flag means the ACK packet has not been received within the timeout interval (known as the retransmission timeout or RTO) thus the sender has to retransmit the packet again. This flag indicates network loss but it may not always be an issue because TCP is designed to increase throughput until loss is observed to estimate network capacity.

TCP Retransmission

When we see the TCP Retransmission flag, we can also see the TCP Duplicate ACK message. This message is part of a failure recovery mechanism called TCP Fast retransmit. A duplicate ACK is sent when a receiver receives out-of-order packets. Upon receiving the out-of-order packet, the receiver starts sending duplicate ACKs so the sender would start the fast-retransmision process. It indicates packet loss but this behaviour may not be an issue because TCP is designed to work like that.

TCP Duplicate ACK

To sum up, we should understand how TCP works as well as TCP flags and messages for troubleshooting network issues. Wireshark and Tcpdump will help us to analyze a packet capture. Finally, we will have to configure devices with the right settings for better network performance.

Regards my friends! Do you usually analyze network traffic?