Accedian is now part of Cisco  |

Avatar photo
By Boris Rogier

How Wireshark users can scale their network troubleshooting capabilities

Wireshark is the most famous protocol and packet analyzer on the market! Almost every engineer uses Wireshark for troubleshooting network/application issues.

What is the value that NAPM solutions such as Skylight can bring to these experienced Wireshark users? There are three main sources of added value that NAPM solutions provide when compared with traditional packet analysis. Indeed, you cannot use a packet analysis solution such as Wireshark if you do not have an NAPM solution in place. Here is why:

Wireshark console view
Wireshark console view
  • Keeping a history of what happened: Most degradations are reported after they have taken place. Most performance degradations are non-continuous/intermittent phenomena and cannot be analyzed any time you want. To perform a diagnostic of a performance degradation, you must have a historical view of performance. Wireshark is based on packet analysis and it is unfeasible to retain several days of network traffic to be able to diagnose what happened.
  • Having an overview of what happenedLet’s assume that you have retained several days worth of network traffic. Your next challenge will be to locate which traffic needs to be inspected. This is a task that is almost impossible as:
  1. End-user complaints provide very vague information about what happened precisely and when
  2. Wireshark provides only a microscopic view of what happened and you first need a macroscopic view of IT performance and usage to locate where there was a degradation (which application, for which users, which transactions) and when
  3. Assuming that you have located which clients had a degradation with which servers at a precise time, the analysis of every conversation will take 10 minutes (assumption) and you may have to review tens of them
  • Viewing application transactions and performance indicators

Wireshark shows packets in a very deep way … but does not provide clear information about transactions (e.g, URL, SQL operations) and their response times. Every item information of that kind has to be calculated manually, taking an enormous amount of time for every transaction that you would like to analyze.

  • Saving time

If you had the chance to have all that data available, proper feedback from your users, and some luck… you would still need tens of hours to have the information that you could have in one minute with Skylight. What Skylight does is to automate the calculations that you would perform for one transaction and apply them to hundreds of millions of transactions each hour. 

No need to uninstall Wireshark, it is definitely a great tool. However, it may be worthwhile taking a closer look at how you could benefit from combining it with a solution such as Skylight to take your troubleshooting capabilities to the scale and complexity of your IT organization now.