Any Wire Shark experts here?

TechnicalJayTechnicalJay Member Posts: 219 ■■■□□□□□□□
Hello,

I have been having trouble with my internet connection for a little bit now. I keep getting disconnected on games and websites are very slow. I am paying for 300mbps and usually get around 250-280 on speedtest.net but sites like google and youtube are still very slow. I even had the ISP come and change the cable modem twice.

I downloaded Wire Shark even though I still have no clue really on how to use it but I was noticing A LOT of black highlighted packets which I believe is bad TCP? And also I have packets that are as low at 5 TTL.

I have scanned for malware, viruses etc and nothing has been found. Does anyone have any ideas? Or what else I should check for in Wire Shark?

Thanks.

Comments

  • bigdogzbigdogz Member Posts: 881 ■■■■■■■■□□
    you could take a sledgehammer to your router and use your cell phone to call your ISP and tell them you don't think any packets are getting through to the local network icon_lol.gif

    In all seriousness, call your ISP and have them test the line (there was no mention of testing) from their network to your router. If there is no issue there, then it could be a cable or simplex / duplex issue on your PC if the setup is simple. You have to work your way up the OSI layers and test the cabling from the outside in.

    If you wish to test from the inside out, obtain a laptop from a friend that you know is functional and plug it into your network. If it is the same, there is a hardware or config issue on the router.

    Good luck
  • v1ralv1ral Member Posts: 116 ■■□□□□□□□□
    What kind of connection do you have? Cable? fiber? And what router do you have?
  • shochanshochan Member Posts: 1,004 ■■■■■■■■□□
    Hello,

    I have been having trouble with my internet connection for a little bit now. I keep getting disconnected on games and websites are very slow. I am paying for 300mbps and usually get around 250-280 on speedtest.net but sites like google and youtube are still very slow. I even had the ISP come and change the cable modem twice.

    I downloaded Wire Shark even though I still have no clue really on how to use it but I was noticing A LOT of black highlighted packets which I believe is bad TCP? And also I have packets that are as low at 5 TTL.

    I have scanned for malware, viruses etc and nothing has been found. Does anyone have any ideas? Or what else I should check for in Wire Shark?

    Thanks.

    I know that Udemy.com has a wireshark online course you can purchase. Pretty hands on.

    https://www.udemy.com/wireshark/learn/v4/overview
    CompTIA A+, Network+, i-Net+, MCP 70-210, CNA v5, Server+, Security+, Cloud+, CySA+, ISC² CC, ISC² SSCP
  • TechnicalJayTechnicalJay Member Posts: 219 ■■■□□□□□□□
    bigdogz wrote: »
    you could take a sledgehammer to your router and use your cell phone to call your ISP and tell them you don't think any packets are getting through to the local network icon_lol.gif

    In all seriousness, call your ISP and have them test the line (there was no mention of testing) from their network to your router. If there is no issue there, then it could be a cable or simplex / duplex issue on your PC if the setup is simple. You have to work your way up the OSI layers and test the cabling from the outside in.

    If you wish to test from the inside out, obtain a laptop from a friend that you know is functional and plug it into your network. If it is the same, there is a hardware or config issue on the router.

    Good luck

    When I call the ISP do I just say could you test the line to my modem, I'm having packet loss? I have no router, my modem acts as both. I did try buying a router and hooked it up to my modem but it was still the same issue. Also tried powerlines, extenders and wifi.
  • TechnicalJayTechnicalJay Member Posts: 219 ■■■□□□□□□□
    What kind of connection do you have? Cable? fiber? And what router do you have?
    I have a cable connection and I did have a Motorola surfboard but they changed it to an Arris. I'm not sure the model as im not currently home.
  • bigdogzbigdogz Member Posts: 881 ■■■■■■■■□□
    Just call them and tell them that you have slow connectivity.

    Is there a way you can get a friend's laptop and test your network?
  • TechnicalJayTechnicalJay Member Posts: 219 ■■■□□□□□□□
    bigdogz wrote: »
    Just call them and tell them that you have slow connectivity.

    Is there a way you can get a friend's laptop and test your network?

    Yes I tested out a laptop with the same game I play(Path of Exile) and the exact same thing basically right away after I start playing. I let wire shark run in the background and caught a lot of bad tcp packets and also out of order packets. Is it safe to post everything listed on wire shark for you to glance over? Do I have to black anything out such as source etc?
  • nemorisingnemorising Member Posts: 20 ■■■□□□□□□□
    Well I think speedtest shows the download/upload capacity of the line (shared line if you have a home connection), but check out the ping, if it over 100-110ms, (with the near server that you ping during speedtest) the browsing sometimes tends to be slow.
    Also you can even check connections per minute. In my opinion this number shows the shared users that share the same link to the ISP node, bigger the number, slower the connection. In simple words, you may have a 300 Mbps connections, but if the ISP device on your area has only 20 Gbps, it means all the users in you area share this capacity. You can try the speedtest.net or speed.io
    Don`t forget that sometimes the physical line, if the physical line parameters are lower than the standard (upstream/downstream), your connection time to time will be awful.

    I don`t think you need wireshark for this thing.

    p.s: don`t forget to give it a try to the public DNS, 8.8.8.8 or 4.2.2.2 etc, maybe your ISP DNS are not that good
    CISSP
  • OfWolfAndManOfWolfAndMan Member Posts: 923 ■■■■□□□□□□
    Yes I tested out a laptop with the same game I play(Path of Exile) and the exact same thing basically right away after I start playing. I let wire shark run in the background and caught a lot of bad tcp packets and also out of order packets. Is it safe to post everything listed on wire shark for you to glance over? Do I have to black anything out such as source etc?

    If you're being NATed going out (Which is most likely), then your IP space will show as private, which means non-routable on the internet. Hence, you displaying packets as safe. The destination IPs will be apparent though, so if there's something there you want to hide, go ahead. You can use tracewrangler if you want to anonymize your packets here:

    https://www.tracewrangler.com/

    However, it takes some reading to understand and use the tool, so don't go out of your way unless it's necessary.

    I recommend you follow the troubleshooting methods below before proceeding. Wireshark directly on your laptop is not accurate as the host machine usually utilizes checksum offloading (Offloads checksum function from the CPU to the NIC, making all checksums in your capture wrong), and other aspects, but it can work. Try this first.

    1. Use a different device and try out the same things (Youtube/google), on your smartphone would prob be easiest, but a separate device helps (EDIT: Didn't see you already tried that. Disregard)
    i. If this fixes it, you know it's specific to your PC. Since you're experiencing everything being slow, it's probably a hardware issue, but software could be a factor
    2. Have you swapped your ethernet cords?
    i. If you are using a cable, go into the interface properties and make sure it's not running half/10, half/100, full/10, etc. Obviously, this is a physical issue with either the cable or adapter.
    3. Have you swapped the cable between the modem router and the wall?
    4. If you're using a wireless connection, run a spectrum analyzer program or application to make sure your SSID's (Network Name) channel isn't subject to interference from other SSIDs. If you are running 2.4 GHz, it's more likely you may be if others are in close proximity to you.

    The reason you should look at those first is because packet issues that aren't physical related tend to be more application-specific, not globally applicable (Not all the time though).

    If all else fails, what are the "black" packets? Out of order packets usually represent possible routing asymmetry, but not always bad as there is such thing as a simultaneous TCP open (P2P for example).

    So the best thing you can do is if you know it's not physical (Which it sounds like it's not the modem router), send the pcap over. What else do you see? Duplicate ACKs? Retransmissions? Spurious retransmissions? Fast retransmits? ACKed segment not unseen (Usually the analyzer can't keep up with the stream in that case).

    The most important part about a packet capture is two things: The three way handshake (If it's TCP), and the deltas (Time between each packet in a sequence).
    :study:Reading: Lab Books, Ansible Documentation, Python Cookbook 2018 Goals: More Ansible/Python work for Automation, IPSpace Automation Course [X], Build Jenkins Framework for Network Automation []
  • thomas_thomas_ Member Posts: 1,012 ■■■■■■■■□□
    To piggyback off of what nemorising said, you may want to see if you experience the issue at different times throughout the day especially at non-peak times. It might be worth it to wake up in the early morniing one day to see if there's a change. If it's significantly faster then your issue is caused by what nemorising said and you may want to look into other options.
  • DAVIS NGUYENDAVIS NGUYEN Member Posts: 1,472 ■■■□□□□□□□
  • nemorisingnemorising Member Posts: 20 ■■■□□□□□□□
    It`s not a thread of passing an exam ...... wrong tab I guess icon_wink.gif
    CISSP
  • ImYourOnlyDJImYourOnlyDJ Member Posts: 180
    nemorising wrote: »
    p.s: don`t forget to give it a try to the public DNS, 8.8.8.8 or 4.2.2.2 etc, maybe your ISP DNS are not that good

    ^This. I've ran into this more than once.
Sign In or Register to comment.