Tag Archives: packet sniffer

How to troubleshoot a slow computer network?

Troubleshoot Network - Ping
Pinging Google

Your network is slow. What do you do to make it faster?
The answer is not simple and the reason for your slow network could be a lot of things. You have to take a step by step approach and isolate the bottleneck. Once you isolate the point of failure it is easier to find the problem.

Many times a packet sniffer will help you find the problem faster. A good free packet sniffer is Wireshark. Another packet sniffer is Microsoft Network Monitor.

Here is a list of Windows-based network tools that can help you troubleshoot almost any problem in a Computer Network:
Ping – a network utility to test if a computer is up and reachable or not. Ping uses the ICMP protocol to send echo requests.
Nmap – a port scanner. You need a port scanner to enumerate open ports and live IP addresses.
Tracert – a utility that traces the path of a network packet enumerating all of the routers that it passes through.
Wireshark – a packet sniffer.
Netstat – a utility that enumerates all the open ports on the local computer.
Ipconfig – a utility to list or modify the properties of a network adapter.
Netsh – a powerful Windows utility to modify various network properties. It is a scripting utility that basically controls every aspect of the Network on a Windows computer.
One of the cool usages of the netsh is to reset the TCP/IP stack to the defaults without the need to uninstall and reinstall the TCP/IP protocol as we needed with the older OSs.
Route – enables the view and manipulation of routing.
Nslookup – a name resolution utility. Very useful to check DNS servers and validity of name records.
Arp – a utility that allows you to get information about MAC address to IP address resolution.
Getmac – Provides the MAC address and lists associated network protocols for all network cards for a local or remote computer.
Getname – displays the computer name.
PathPing – Combines the functions of Traceroute and Ping, very powerful tool.
Net services commands – Performs a broad range of network tasks such as Network mapping, authentication, controls services, etc…

If you are not sure how to use these tools read the Help or from the command line, (all of these are command line tools), issue the command with the help option, for instance: “pathping /?”. This will give you a list of other valid options.  

This article is part of a five posts series regarding Network Troubleshooting.

  1. How to troubleshoot a slow computer network?
  2. Troubleshoot a Slow Network – The entire Network is Slow
  3. Troubleshoot a Slow Network – Slow Server
  4. Troubleshoot a Slow Computer Network – Only One Computer on the Network is Slow
  5. Troubleshoot a Slow Computer Network – Your Computer is Slow and Not the Network

Troubleshoot a Slow Network – Slow Server

Slow Server

How do we know the server is slow and the problem is not elsewhere?
Make a file transfer between any two other computers on the network. Compare the measurements with the server’s transfer rates.
What are the reasons for a slow server?
There are many reasons for a slow server. The server is many times the bottle-neck of a network. Here are a few reasons for a slow server:
An average, or below average network card, (you need good quality network cards for a server).
Server Network Card Underutilized. Connect your server on the backbone or on 1GB switch ports to make use of the high speed network card. You probably want to limit all your clients to transfer at 100Mb so that there is no traffic discrimination. If your server and switches support higher transfer rates, (10GB ports), make sure you make use of it.
Slow disks. Poor hardware is many times the main reason. Improper configuration, such as choosing the wrong RAID type, or not using write caching can be another reason.
Too many clients on a server. If too many clients make requests to the same single server this could overload the server and it will perceived as a slow network by the users. Measure your server’s performance on load using the performance logs and alerts and the system monitor in Windows. Usually the performance is changing over the course of a day based on the number of users who access the server at the same time. Sometimes adding another network card would be sufficient. Enabling cache writing on the SCSI card can help a lot, (make sure you install a cache battery), adding a new SCSI card and additional disks to offload the existing ones could be of help. Sometimes adding another CPU can make a difference, (if you have free CPU slots). Memory is very often the most used method of upgrading, but most of the times it is not the needed solution. Use the performance logs and alerts and the system monitor and compare with the recommended thresholds to determine what your bottleneck is.
Slow server response, (packet sniffer to determine the handshake time), Adjust the server’s configuration to optimize the handshaking time; (this is a fairly advanced optimization task).

This article is part of a five posts series regarding Network Troubleshooting.

Troubleshoot a Slow Network – The entire Network is Slow

The Entire Network is Slow

If the entire network or a part of the network is slow, this could be a strong suggestion for a faulty switch or a miss-configuration.

Poor network equipment
Usage of hubs is not recommended, (hubs are prone to collisions by design)
Cheap switches that cannot handle the total needed bandwidth. The switch’s chip can handle 100Mb/s for 12 ports, but the switch has 24 ports and all are connected. For low network usage this is not a problem, but if your network usage spikes, your switch will not be able to handle the bandwidth. The quick fix in such situation is to power off the switch for a few minutes and then power it back on.

A loopback is a network cable that has both ends connected to the same switch. If it’s a managed switch activating loop protection on all the ports could fix the problem. You can look on the switch’s log file for excessive broadcasts and isolate the two ports that are in loop. If you don’t have managed switches you can use a packet sniffer to determine if there’s a loop. A wrongly configured Spanning tree could cause a loopback.
FIX: Check all the patch-cord connections in the faulty switch. Check for patch-cords that have both ens into the same switch. Check for more than one patch-cord connecting the same two switches.
If you have cascaded switches it is normal to be slower for the devices in the cascaded switch but is not normal for the devices that are not cascaded. Check if any cascaded device is not connected on two ports on the wall, (usually the ports on the wall go to the network room). Your cascaded switch makes a loop into the upper level switch.

Bad Network Configuration
DNS issues
can cause a lot of slowdowns.
One common error is to use your ISP’s DNS server inside your Active Directory network. Your Active Directory computer members will try to resolve internal names by querying your ISP’s DNS. Those records don’t exist outside of your network.
Fix: For all of your Active Directory network clients remove any entries for your ISP’s and use only internal DNS servers. Configure your ISP’s DNS server as a forwarder on your AD DNS servers.

Network switching equipment wrongly connected is the reason of slow network for many small networks. Typically this happens when a small switch is connected to the router. When the switch becomes too small for a growing network, the first impulse is to connect the computers into the router directly.
: Install a switch that will accommodate all of the computers in the network. Disconnect any computers connected directly into the router.
Note: It is normal for the wireless connected computers to have slower transfer rate than the wired ones. Most of the wireless routers and adapters function at 54Mb per second. If your router is a modern router, (100 Mb or faster), and you still don’t get the expected transfer rates, you should revise your configuration as above.

Broadcast storm
You can efficiently detect a broadcast storm using a packet sniffer or a managed switch. With a packet sniffer you need to look for large numbers of broadcast/multicast (more than 20% of the total traffic it is an alarm signal). Locate the retransmission packets and search for the source MAC address. Disconnect the problem host.
If you suspect a broadcast storm in your network and you don’t have a managed switch or a packet sniffer, you can run download and upload tests by systematically disconnecting all of your computers in the network one by one. This is only practical in small network environment.

Virus Attack
A lot of connections originating from the same MAC address, to the same destination port, but for different destination address, and in short intervals.
Fix: Determine the source address of these connections and disconnect the suspect hosts. Run an antivirus scan on the computer before plugging it back. There are a few ways to determine the source of a virus. Use a packet sniffer, look on your managed switch for the ports with the most traffic and confirm it on the suspected computer by issuing the command “netstat -a -b”, (on a Windows machine). The command will show you which ports are active and which program, (executable), is using the ports.

This article is part of a five posts series regarding Network Troubleshooting.