1
00:00:00,000 --> 00:00:07,828



2
00:00:07,828 --> 00:00:13,069
Ok, in our next module, we will talk about 
analyzing data transfer

3
00:00:13,069 --> 00:00:16,553
which is probably one of the common things 
that you'll do on a network.

4
00:00:16,553 --> 00:00:22,821
Obviously, if you do anything on a network,
you're using it to access resources of some kind.

5
00:00:22,821 --> 00:00:26,451
Normally, people do not just set-up networks for show.

6
00:00:26,451 --> 00:00:31,197
Their primary purpose is to give you access to resources.

7
00:00:31,197 --> 00:00:35,972
And it's our job as engineers and analysts and experts,

8
00:00:35,972 --> 00:00:43,951
to be able to go in and answer 
the tough questions as to why is my data

9
00:00:43,951 --> 00:00:49,916
or my access to my application, 
or my querying of my database -

10
00:00:49,916 --> 00:00:52,599
why is it problematic?

11
00:00:52,607 --> 00:00:55,721
Why did I just spend a tremendous amount of money

12
00:00:55,721 --> 00:01:03,196
on this enterprise solution or solutions,
and it does not perform as per expectations?

13
00:01:03,251 --> 00:01:11,495
Well, there is no easy answer to that one 
because obviously, if you were to set up 

14
00:01:11,497 --> 00:01:14,969
a network from scratch and 
you were to keep it locked down,

15
00:01:14,968 --> 00:01:18,789
and basically do one thing with it, 
and have everything baseline

16
00:01:18,789 --> 00:01:23,939
and you have all your answers to all your 
questions that you may have then, yes.

17
00:01:23,943 --> 00:01:28,902
I'm sure that the, the network will operate 
at the best possible performance.

18
00:01:28,902 --> 00:01:36,215
It will perform optimally, every application will,
will hum and everything will be great.

19
00:01:36,215 --> 00:01:41,205
But here's the problem. 
When people are using the network,


20
00:01:41,205 --> 00:01:45,745
they're moving things, they're doing things,
and through that 

21
00:01:45,745 --> 00:01:53,344
it causes all these devices to be put
on different loads, there's different stresses.

22
00:01:53,344 --> 00:01:57,670
As the networks grow and people 
are trying to use them more, 

23
00:01:57,666 --> 00:02:04,212
they outgrow the initial design.
As new applications deployed and as

24
00:02:04,221 --> 00:02:07,522
things change and they're upgraded, 
there's new requirements.

25
00:02:07,530 --> 00:02:10,883
So essentially, there's a lot of concerns

26
00:02:10,878 --> 00:02:14,544
revolving around the simple fact that data transfer,

27
00:02:14,544 --> 00:02:17,463
and the, the fact of the matter is,

28
00:02:17,468 --> 00:02:20,829
is that it could be anything that impacts data transfer.

29
00:02:20,834 --> 00:02:25,158
So I've listed a few here, some of them 
are common ones, there's latency.

30
00:02:25,158 --> 00:02:30,728
So if I'm going to try to access something 
and it's taking quite, quite some time to do that,

31
00:02:30,720 --> 00:02:34,778
then it may be deemed latent
and what in my network or

32
00:02:34,786 --> 00:02:40,072
what from my system source to my destination 
is causinig this latency.

33
00:02:40,072 --> 00:02:47,285
I can have a bandwidth issue. I could have 
basically made my entire LAN segment

34
00:02:47,285 --> 00:02:54,112
backbone of 10 gig and a 1 gigabit 
connections out to every computer

35
00:02:54,112 --> 00:02:58,836
and then connected to another office 
or another data center and you know, 

36
00:02:58,836 --> 00:03:05,681
I'll have a 30k link which is basically
going to not allow me in today's day and age

37
00:03:05,681 --> 00:03:08,724
to transfer any data or do any back ups

38
00:03:08,727 --> 00:03:12,299
or anything of that matter over that WAN connection.

39
00:03:12,299 --> 00:03:16,046
What if I didn't have an internet connection

40
00:03:16,046 --> 00:03:20,150
in my office and I was actually going over the WAN link

41
00:03:20,150 --> 00:03:25,623
to access the internet out of a central site 
or data center or a core?

42
00:03:25,623 --> 00:03:31,205
What if that bandwidth, that WAN connection

43
00:03:31,204 --> 00:03:39,393
is undersized and it's not allowing me to transfer
 data from the internet to my client fast enough?

44
00:03:39,401 --> 00:03:44,433
So as you could see, there's a lot of different 
things involved here with data transfer.

45
00:03:44,433 --> 00:03:52,047
I/O is another basic concern.
So, disc reads and writes, it could be very slow

46
00:03:52,048 --> 00:03:58,403
causing the transfer of data into memory to be 
used and transferred across the network.

47
00:03:58,413 --> 00:04:09,259
That may take an amount of time that is not 
considerably something that I am accepting

48
00:04:09,259 --> 00:04:13,921
and there's others. 
You could have networks that were 

49
00:04:13,921 --> 00:04:21,383
currently on a 100 meg, fast ethernet 
and as it's growing to gigabit,

50
00:04:21,392 --> 00:04:26,603
it may be using applications and things
that just need that to be upgraded.

51
00:04:26,603 --> 00:04:29,322
So, as you can see, there's a lot of concerns

52
00:04:29,331 --> 00:04:34,485
revolving around specific, 
specific issues with data transfer.

53
00:04:34,485 --> 00:04:39,280
So, what can Wireshark do 
to help you solve this problem?

54
00:04:39,280 --> 00:04:43,577
Last we got through all the modules up til now,

55
00:04:43,577 --> 00:04:47,071
we've covered a lot of reasons why things may be slow,

56
00:04:47,071 --> 00:04:51,774
or causing performance issues and you've learned ways

57
00:04:51,774 --> 00:04:56,278
to use Wireshark so that you can capture the data.

58
00:04:56,278 --> 00:04:58,904
Again, place it correctly, capture the data,

59
00:04:58,904 --> 00:05:02,745
review it, analyze it and use the tools
within Wireshark

60
00:05:02,763 --> 00:05:06,981
and external to Wireshark to come to
some of these conclusions.

61
00:05:06,981 --> 00:05:11,744
However, with Wireshark specifically, 
you can capture the data

62
00:05:11,744 --> 00:05:15,248
from the source to that destination
and you can look at 

63
00:05:15,248 --> 00:05:19,965
things that we've already reviewed such as 
timestamps, how long is it taking to get 

64
00:05:19,974 --> 00:05:22,996
from one place to another, the roundtrip time.

65
00:05:22,996 --> 00:05:27,609
What's the time deltas?
What's the throughput?

66
00:05:27,609 --> 00:05:33,207
And other key data to help me analyze 
and figure out why

67
00:05:33,207 --> 00:05:37,809
the transfer of data is seemingly slow.

68
00:05:37,809 --> 00:05:42,967
So as an example with here I was trying 
to send data across the network and

69
00:05:42,967 --> 00:05:46,124
there was quite a few things that took place.

70
00:05:46,124 --> 00:05:49,386
One of the things was I was trying to switch modes

71
00:05:49,386 --> 00:05:55,492
and it was causing a delay in the transfer
or transferring of the data.

72
00:05:55,492 --> 00:05:58,038
So it doesn't which protocol you use.

73
00:05:58,038 --> 00:06:02,513
It doesn't matter specifically what action you take.

74
00:06:02,513 --> 00:06:07,475
When you capture the data in Wireshark, 
you can start to sift through and look for clues.

75
00:06:07,475 --> 00:06:14,119
As we've mentioned earlier in another module,
you can pull up the flow graph.

76
00:06:14,119 --> 00:06:24,335
And take a look at how long it's taking for 
certain things to happen on the network here.

77
00:06:24,335 --> 00:06:29,974
And here, you can see that specifically, 
when it talks to one IP to another  

78
00:06:29,974 --> 00:06:36,547
there may be many factors as to why 
something may be slow.

79
00:06:36,547 --> 00:06:41,897
An example here is we've got a bunch 
of zero windows. So, it may have, yup

80
00:06:41,911 --> 00:06:45,690
right here, it was a re-transmission
because of the problem with the window.

81
00:06:45,681 --> 00:06:51,425
So there's certain things that will delay 
our ability to transfer data.

82
00:06:51,425 --> 00:06:57,485
And looking specifically at the TCP 
communications, we were able to determine

83
00:06:57,485 --> 00:07:02,717
that when at this point in time we thought 
that we're going to be sending the data,

84
00:07:02,717 --> 00:07:07,353
there's quite a few things that took place 
in between it that delayed it.

85
00:07:07,353 --> 00:07:13,228
So this period of time basically gave us a delay.

86
00:07:13,228 --> 00:07:19,729
So, some of the things that we look for 
in Wireshark

87
00:07:19,729 --> 00:07:24,733
when we're analyzing data transfer issues
is you want to remember 

88
00:07:24,733 --> 00:07:28,096
that you can only see what the client in the server sees

89
00:07:28,095 --> 00:07:32,676
and you can really, you can't really see anything
in the middle unless you run Wireshark.

90
00:07:32,676 --> 00:07:37,314
So, yes you can run a ping, you can run a trace,
you can look at I/O on the boxes,

91
00:07:37,314 --> 00:07:39,669
but what's the packets really saying?

92
00:07:39,669 --> 00:07:42,013
You will need Wireshark to figure that out.

93
00:07:42,013 --> 00:07:45,686
And once you capture that data,
you can look at certain things.

94
00:07:45,677 --> 00:07:48,616
You can say, alright well, I have some timing issues.

95
00:07:48,616 --> 00:07:51,913
What's causing that and then flip back to the fact that 

96
00:07:51,913 --> 00:07:53,913
you may have a bandwidth problem,

97
00:07:53,913 --> 00:07:56,430
you may have a congestion problem,

98
00:07:56,430 --> 00:08:02,757
you may have a series of re-transmissions
that may show that.

99
00:08:02,757 --> 00:08:06,566
You may have dropped or lost data.

100
00:08:06,566 --> 00:08:09,711
Again, no cause for immediate alarm because

101
00:08:09,711 --> 00:08:14,088
that doesn't necessarily mean that it's the problem.

102
00:08:14,088 --> 00:08:17,910
As we've mentioned in earlier segments, 
that just means that 

103
00:08:17,919 --> 00:08:20,589
Wireshark did capture that and one re-transmission

104
00:08:20,589 --> 00:08:22,276
as an example is not a big deal but

105
00:08:22,284 --> 00:08:26,926
if you see, for example,
a hundred of them trying to get to an IP

106
00:08:26,917 --> 00:08:32,212
in a short amount of time, it's quite possible
 that you have a communications issue.

107
00:08:32,212 --> 00:08:36,013
And again, these devices when 
they get the data, they buffer them 

108
00:08:36,013 --> 00:08:40,533
and if you're flooding it with small-sized packets,

109
00:08:40,533 --> 00:08:44,494
it's going to work a lot harder,
it's going to fill up the buffers

110
00:08:44,494 --> 00:08:49,671
and you're going to have issues where 
you could potentially see dropped data.

111
00:08:49,671 --> 00:08:53,229
Again, you could also see a large 
amount of broadcast data

112
00:08:53,229 --> 00:08:57,495
doing interrupts on your devices
which is slowing them down.

113
00:08:57,495 --> 00:09:02,329
You can look at the CPU's of the devices
and see that they're working very hard.

114
00:09:02,329 --> 00:09:07,242
And it may not be able to perform
 as optimally as you like.

115
00:09:07,242 --> 00:09:12,151
And again, you can use other tools like the flow graph,

116
00:09:12,151 --> 00:09:15,487
then the stream graph and other plotting tools

117
00:09:15,487 --> 00:09:18,223
to take a look at the data over time and see exactly

118
00:09:18,228 --> 00:09:21,941
what's spiking and what you need to address.

119
00:09:21,947 --> 00:09:27,844
You can also do a flow analysis where
you can have a clear view.

120
00:09:27,844 --> 00:09:32,944
You can do this from flow and stream graphs
which will allow you to take a look at 

121
00:09:32,944 --> 00:09:35,886
the overall communication from start to finish

122
00:09:35,886 --> 00:09:38,757
and give you a bird's eyeview into what may be 

123
00:09:38,757 --> 00:09:44,361
delaying or causing the delay of a data transfer.

124
00:09:44,361 --> 00:09:48,296
And just to summarize, again I believe that 

125
00:09:48,296 --> 00:09:51,963
when you're having a problem with a 
higher layer protocol, 

126
00:09:51,960 --> 00:09:56,361
it always makes sense to know 
whether that protocol is using UDP or TCP.

127
00:09:56,361 --> 00:10:01,702
You can drill down into the TCP layer 
communications and it will give you

128
00:10:01,686 --> 00:10:06,288
a closer look into the handshake and what,

129
00:10:06,288 --> 00:10:10,107
what's actually taking place and 
what could also be causing 

130
00:10:10,107 --> 00:10:13,537
slowness of performance issues on your network.

131
00:10:13,537 --> 00:10:19,754