1
00:00:00,000 --> 00:00:08,072


2
00:00:08,072 --> 00:00:12,897
Ok, we're back to continue on modules on HTTP.

3
00:00:12,897 --> 00:00:16,030
And in this module, we will be discussing 

4
00:00:16,030 --> 00:00:19,487
how to address a poorly performing website

5
00:00:19,487 --> 00:00:23,450
and get a little bit deeper into the possible 
issues that you may have

6
00:00:23,450 --> 00:00:26,720
when you're using Wireshark and trying to analyze

7
00:00:26,720 --> 00:00:37,778
a performance issue on a HTTP based or
web based client to server communication.

8
00:00:37,778 --> 00:00:42,995
So one of the things to consider first is
why does a site perform poorly?

9
00:00:42,995 --> 00:00:49,536
There are so many reasons why a website 
can perform poorly.

10
00:00:49,536 --> 00:00:54,487
I could probably fill up this entire module 
just with that explanation.

11
00:00:54,487 --> 00:01:00,218
So I think to summarize, we can start with 

12
00:01:00,218 --> 00:01:02,963
the tip of the hour, so you have the client,

13
00:01:02,963 --> 00:01:08,580
you have the possible lack of resources
on the client.

14
00:01:08,579 --> 00:01:11,394
So you may be trying to do something very intensive.

15
00:01:11,394 --> 00:01:18,234
And the client cannot handle it so you go to 
a website which is very graphic oriented.

16
00:01:18,234 --> 00:01:21,190
Or you don't have the correct plug ins

17
00:01:21,190 --> 00:01:27,978
or you have some type of requests for job
or you don't have the correct version.

18
00:01:27,978 --> 00:01:31,760
There's just so many reasons why a client 
could have a porblem.

19
00:01:31,760 --> 00:01:36,958
So, your website performing poorly ,

20
00:01:36,958 --> 00:01:41,159
it's, it's incredibly important to 
first start with the client and 

21
00:01:41,159 --> 00:01:44,807
to make sure that the client is responding correctly.

22
00:01:44,807 --> 00:01:48,967
Obviously, you would want to ask them

23
00:01:48,967 --> 00:01:51,838
to or try yourself to try a different web browser.

24
00:01:51,838 --> 00:01:57,138
There's many, there's Chrome, 
there's Safari, there's IE,

25
00:01:57,138 --> 00:02:00,859
Firefox, there's quite a few out there, Opera,

26
00:02:00,859 --> 00:02:04,679
and try the different browsers and 
see if you get a different response.

27
00:02:04,679 --> 00:02:08,104
There's different versions with Internet Explorer.

28
00:02:08,104 --> 00:02:11,565
You will find that some applications do not

29
00:02:11,565 --> 00:02:17,770
work or not coded to work with 
newer versions of IE.

30
00:02:17,770 --> 00:02:20,646
For example 10, and it may ask you to use 8.

31
00:02:20,646 --> 00:02:27,673
Luckily, with the browsers of today, especially 
with Internet Explorer, you can hit F12 key.

32
00:02:27,674 --> 00:02:30,982
And you could switch your browser version,
you could try that.

33
00:02:30,982 --> 00:02:35,778
Then there's the web server itself,

34
00:02:35,778 --> 00:02:38,005
and it could suffer from the same issues.

35
00:02:38,005 --> 00:02:42,894
it could have lack of resources,
it could be overwhelmed.

36
00:02:42,894 --> 00:02:47,574
It could be part of a pool and 
one of the servers is having an issue.

37
00:02:47,574 --> 00:02:52,600
It could be end tier and it could have 
a middle ware or database tier issue.

38
00:02:52,600 --> 00:03:00,277
There are the same types of I/O issues such 
as read-write to disc, that could be an issue.

39
00:03:00,277 --> 00:03:05,863
Not enough memory, there could be 
so many things that could be wrong with it.

40
00:03:05,863 --> 00:03:10,022
One of the things that we haven't talked about 
until now, it could be on a VM,

41
00:03:10,022 --> 00:03:15,644
and the host could be having an issue,
the guest could be having an issue.

42
00:03:15,644 --> 00:03:20,707
There's a lot of reasons why the site 
may perform poorly,

43
00:03:20,707 --> 00:03:25,705
as well as the fact that it could just be coded poorly.

44
00:03:25,711 --> 00:03:31,027
It could be problems in the code.
There are quite a few things.

45
00:03:31,027 --> 00:03:36,672
Then there's the path in between 
where the firewall can be breaking something.

46
00:03:36,672 --> 00:03:44,274
It could just be latency to the site,
you might not have enough band width.

47
00:03:44,274 --> 00:03:49,386
So there's, there's many reasons but 
when you use Wireshark it will allow you

48
00:03:49,385 --> 00:03:54,041
to capture the data.
You can look at source to destination data.

49
00:03:54,041 --> 00:03:57,289
You can review the TCP information.

50
00:03:57,298 --> 00:04:00,969
You can analyze the response time,
the roundtrip time,

51
00:04:00,969 --> 00:04:06,859
look at a bunch of different things that may give 
you a clue or some insight into

52
00:04:06,859 --> 00:04:12,414
why this site may be performing poorly.

53
00:04:12,414 --> 00:04:16,088
But regardless, just remember that there are 

54
00:04:16,088 --> 00:04:23,015
numerous reasons as to why and Wireshark
may be giving you some insight into what it is

55
00:04:23,015 --> 00:04:28,688
but just again, just remember, that there's
quite a few things that could go wrong.

56
00:04:28,688 --> 00:04:33,578
So, one of the things that I wanted to highlight was 

57
00:04:33,578 --> 00:04:38,573
if you look insde the Expert,
there's a couple of things that you may find.

58
00:04:38,573 --> 00:04:44,406
Before we get into that, let's take a quick look at 
actual capture. I pulled up a bad cap.

59
00:04:44,406 --> 00:04:47,926
This one has a specific problem in it.

60
00:04:47,926 --> 00:04:50,258
Actually, there was 2 problems in it and

61
00:04:50,258 --> 00:04:53,336
I wanted to highlight both of them 
and show them, show you

62
00:04:53,336 --> 00:04:57,306
how they actually showed me what the issue was.

63
00:04:57,306 --> 00:05:01,631
So on this one, I was able to pull an actual problem.

64
00:05:01,640 --> 00:05:07,796
I got a 401 unauthorized there and 
as you could see it clued me into

65
00:05:07,796 --> 00:05:10,253
why somebody was having a problem with the site.

66
00:05:10,253 --> 00:05:13,416
Now how I'd not pulled this information,

67
00:05:13,416 --> 00:05:16,830
it may not have been shown on the client but

68
00:05:16,830 --> 00:05:20,942
regardless, it was able, I was able to pull 
packet and find that

69
00:05:20,942 --> 00:05:23,718
there was an issue of something was unauthorized.

70
00:05:23,718 --> 00:05:26,174
And reason why I wanted to show in the Expert

71
00:05:26,174 --> 00:05:29,072
is because it flagged it right in the Expert

72
00:05:29,098 --> 00:05:33,944
where I could have pulled it up
and then drilled into this packet

73
00:05:33,943 --> 00:05:36,120
to figure out exactly what's going on.

74
00:05:36,119 --> 00:05:40,875
But here, I have a 401 error and 
it's because it's unauthorized.

75
00:05:40,875 --> 00:05:47,075
And the Microsoft IIS server was responding
with that 401 error.

76
00:05:47,082 --> 00:05:49,270
There could be many reasons why that's an issue.

77
00:05:49,269 --> 00:05:55,283
Maybe there was a, it wasn't configured
in the right pool or there's a permissions issue.

78
00:05:55,283 --> 00:05:59,664
But again, I used Wireshark to capture the data

79
00:05:59,664 --> 00:06:03,357
so that I was able to find this particular error.

80
00:06:03,357 --> 00:06:07,425
And then drill down into where 
that could be coming from.

81
00:06:07,421 --> 00:06:10,251
And in this instance, I was able to see

82
00:06:10,265 --> 00:06:15,838
specifically that it was coming from the server itself.

83
00:06:15,838 --> 00:06:22,817
Then if I actually look into the, specifically in here 

84
00:06:22,817 --> 00:06:27,652
into the Expert, I also found a handful of packets 

85
00:06:27,651 --> 00:06:30,952
where the window is full or zero window and

86
00:06:30,952 --> 00:06:35,369
what that tells me is that, 
I may have a buffering issue

87
00:06:35,369 --> 00:06:39,918
where I may have to increase the window size
on some of these devices

88
00:06:39,918 --> 00:06:43,414
'cause it's not able to handle the amount of traffic.

89
00:06:43,414 --> 00:06:47,866
And where I've seen this issue is
you're using a very intense application

90
00:06:47,866 --> 00:06:53,684
or a very data intensive application
and it just wasn't able to get the data

91
00:06:53,675 --> 00:06:56,197
to and from in time and it was causing 

92
00:06:56,197 --> 00:07:01,066
what the client saw as performance issues where 

93
00:07:01,066 --> 00:07:03,550
the screens seem to freeze up on them.

94
00:07:03,550 --> 00:07:11,379
It was not responsive and or switching
between different items or tabs, or

95
00:07:11,379 --> 00:07:16,720
or windows within the web browser,
 seem to be very choppy or slow.

96
00:07:16,713 --> 00:07:20,545
So again, that was something where 
when I was running a capture,

97
00:07:20,544 --> 00:07:26,472
I was able to pull that information 
directly out of the capture packets.

98
00:07:26,472 --> 00:07:31,664
And again, this is something where 
if you want to look at the stream,

99
00:07:31,664 --> 00:07:36,465
it'll tell you very quickly, you did a get request.

100
00:07:36,465 --> 00:07:41,598
It basically said no, you're unauthorized,
I am not doing anything for you.

101
00:07:41,598 --> 00:07:48,547
So that was another quick way to see 
where the problem may be stemming from.

102
00:07:48,547 --> 00:07:54,807
So as we continue to drill down into Wireshark,

103
00:07:54,807 --> 00:07:58,584
it's very, it should be coming very apparent to you that

104
00:07:58,584 --> 00:08:06,860
by doing this type of analysis, 
it's coming quicker or easier to you that 

105
00:08:06,860 --> 00:08:12,303
by using certain tools within it, 
you are able to look at the data

106
00:08:12,303 --> 00:08:15,231
and start to organize it in a way where you can

107
00:08:15,231 --> 00:08:17,688
figure out what it is that you want to look for.

108
00:08:17,688 --> 00:08:23,072
And as a, as a reminder here, 
the tools that you're using within Wireshark

109
00:08:23,072 --> 00:08:27,784
is your data, so you're filtering on it.

110
00:08:27,784 --> 00:08:34,564
You want to just see HTTP. Maybe you 
want to see that DNS was an issue here.

111
00:08:34,564 --> 00:08:39,287
Maybe you were trying to request the DNS,

112
00:08:39,287 --> 00:08:43,115
was trying to query a DNS server 
and it wasn't responsive.

113
00:08:43,115 --> 00:08:47,852
Therefore, I wasn't able to access the website
if it was poorly performing.

114
00:08:47,852 --> 00:08:51,521
Maybe as we showed before, there was reason. 

115
00:08:51,521 --> 00:08:56,100
Something was in the website, 
you tried to move to a different tab.

116
00:08:56,100 --> 00:09:03,474
And it was choppy. Maybe there was 
something causing it to perform horribly.

117
00:09:03,467 --> 00:09:09,902
Or you weren't authorized to see certain parts 
of the sites so you don't even pull up the page.

118
00:09:09,902 --> 00:09:14,770
You can look at the flow graph,
which we looked at in earlier module.

119
00:09:14,770 --> 00:09:19,931
You can look at the Expert. This will give you 
some clues as to what may be the problem,

120
00:09:19,931 --> 00:09:28,459
and other tools, such as tools that are 
integrated directly into the browsers themselves

121
00:09:28,459 --> 00:09:34,295
or snap-in plug ins or third party plug ins.

122
00:09:34,295 --> 00:09:39,592
What we could see here is that 
if we use a tool such as 

123
00:09:39,592 --> 00:09:46,331
HTTP watch, fire bug or the development tool
within Internet Explorer,

124
00:09:46,324 --> 00:09:49,429
we could also use these in tandem with Wireshark

125
00:09:49,429 --> 00:09:53,991
to get an understanding of what may 
or what may not be a problem.

126
00:09:53,991 --> 00:09:59,133
So as we see here, we can pull up a web browser,

127
00:09:59,133 --> 00:10:04,648
we can hit the F12 key, we can look at specifically

128
00:10:04,648 --> 00:10:09,379
some of the tools within, here 

129
00:10:09,379 --> 00:10:14,239
and I would like to click on the network 
and start capturing.

130
00:10:14,239 --> 00:10:21,291
And if I go to s website, it will show me

131
00:10:21,291 --> 00:10:29,225
some information about the response time
for the website and this will help to also show me

132
00:10:29,222 --> 00:10:36,793
possible poor performance. Actually in this case 
and not because it's just the INE website

133
00:10:36,793 --> 00:10:42,217
it actually responded extremely quick. 
It pulled up everything very quickly.

134
00:10:42,217 --> 00:10:49,535
And aside, aside for, and commonly the quick
first request and the pulling of the cascading 

135
00:10:49,536 --> 00:10:53,144
style sheet, everything came down lightning quick.

136
00:10:53,144 --> 00:10:58,174
So, if you want to pull up a site 
that may not perform as well,

137
00:10:58,174 --> 00:11:02,685
this may give you a clue as to
what page may be hanging it up,

138
00:11:02,685 --> 00:11:04,685
or what else could be an issue.

139
00:11:04,685 --> 00:11:09,038
And then, you can look and filter for
 that information back in Wireshark

140
00:11:09,038 --> 00:11:15,802
to see specifics of what that page
or that content may have been hanging or

141
00:11:15,802 --> 00:11:20,549
or causing performance degradation
to the website itself.

142
00:11:20,549 --> 00:11:27,801