Wireshark 101: Understanding High Latency, HakTip 136
ฝัง
- เผยแพร่เมื่อ 16 ต.ค. 2024
- Hak5 -- Cyber Security Education, Inspiration, News & Community since 2005:
____________________________________________
Today on HakTip, Shannon explains high and low latency, and how to determine which machine is causing the latency via Wireshark.
We have discussed high latency a bit in my previous HakTip, but I wanted to go into it with some more detail. As you look at packets in a Wireshark capture, you'll notice that with a normal connection, your transmission happens in under a second.
Now if you look at a few packets with slow communication, they show up to be almost a second each. This would be called wire latency because of the slowness happening on the wire, not the source or destination.
Now what if the slow one happens to be the HTTP get request? In this case the only latency is happening from the client, so there must be an issue on the clients machine.
Lastly, if the slow packet happens to be from the server as an HTTP packet, we know HTTP has to go through the application layer and it takes some processing... the server must be having an issue with processing that packet.
Next up is a network baseline. Knowing what your network baseline is is important in figuring out network issues. A baseline is an understanding of what kind of latency your network usually runs at, and what you should normally expect.
If you need a site baseline, you'd probably want to record normal protocols in use, broadcast traffic, authentication sequences, and data-transfer rates. For a host baseline, record the protocols, idle and busy traffic and times, startups and shutdowns, authentication sequences, and associations and dependencies. For an application baseline, you'd want to pay attention to protocols, startup and shutdown procedures, associations and dependencies, and data-transfer rates. Depending on how busy your network might become (i.e. a bank has busiest hours during lunch time, and it dies off in late morning or when they are closed) you might want to make several baselines for different times of day. Keep your baseline secure, and make your own .pcap files of each.
Let me know what you think. Send me a comment below or email us at tips@hak5.org. And be sure to check out our sister show, Hak5 for more great stuff just like this. I'll be there, reminding you to trust your technolust.
~-~~-~~~-~~-~
Please watch: "Bash Bunny Primer - Hak5 2225"
• Bash Bunny Primer - Ha...
~-~~-~~~-~~-~
____________________________________________
Founded in 2005, Hak5's mission is to advance the InfoSec industry. We do this through our award winning educational podcasts, leading pentest gear, and inclusive community - where all hackers belong.
I'm pretty sure the time field is just when the packet arrived (measured in seconds relative to the first packet of the capture). It's not the "latency" of the captured packet. If you want the latency of an HTTP server, you'd need to look at the difference in time between a request packet its associated response packet.
Check the source and destination, these are the request and response packets and hence the difference between them is the lag.
Shannon you unbelievable, thx for HakTip.
The verdict on example 2 sounds a bit hasty to me. Stating that this is caused not by client or server but being "wire latency" doesn't make much sense, unless the term "wire" is supposed to also include devices like firewalls, routers and other middle boxes (you can safely ignore switching delays, which lies in the 100 microsecond range).
Pure transport speed is about 200,000 km/sec on a wire, so 1 second would be enough to go around the world about five times. So if there's delay it's either the server (very likely) or a network device in the middle (rare). The capture was obviously taken on - or very close to - the client machine (determined by looking at the three way handshake delta timings), so it's hard to say what caused it without having a capture taken at the server at the exact same time.
Without the server capture, the verdict should be "not the client, maybe the network, but probably the server". Unless you know something we don't, like having introduced an artificial delay (e.g. using netem on a linux router box) for the purpose of the capture :-)
I want to introduce network latency between windows and Linux machine which should be customizable say 100ms , how do i do it ?
Is there any tool that can track the network through which the packets reaches the target and give full details about the network devices (routers, switches,Etc)
I like to keep my baseline clean, d'uh like I totally knew that. When I use my latency with the baseline wireshark kicks in for 1 second data packets. Furthermore I would like to add my http is latent with the network modulator included, thank you!
Not the best haktip. Could of gone into detail with the tools wireshark has for detecting top talkers and delta/jitter. But it did get the general idea across. This stuff is gold when trouble shooting voip call quality fellas!
its really bad, what you have explained here?
Few things: One really good reason to check latency is if you think someone is in the middle of you and the server which will increase latency. I recommend codebender.cc for sharing or embedding arduino code w a simple html tag -- I like it cause all you need is a browser. And funny how there is more "shared on google+" comments than actual comments lol the world is a changin
OMG, that sounds like work...
I think I watch these vids because of the name hak5. Other than that everything is way over my head, and I have no idea what their talkin about....pretty sad. They need like a hak0 for complete noobs. I'll probably be hacked just for posting this comment.
BHayes82 haha
party?