Wireshark 101: Understanding High Latency

Today on HakTip, Shannon explains high and low latency, and how to determine which machine is causing the latency via Wireshark.

We have discussed high latency a bit in my previous HakTip, but I wanted to go into it with some more detail. As you look at packets in a Wireshark capture, you'll notice that with a normal connection, your transmission happens in under a second.

Now if you look at a few packets with slow communication, they show up to be almost a second each. This would be called wire latency because of the slowness happening on the wire, not the source or destination.

Now what if the slow one happens to be the HTTP get request? In this case the only latency is happening from the client, so there must be an issue on the clients machine.

Lastly, if the slow packet happens to be from the server as an HTTP packet, we know HTTP has to go through the application layer and it takes some processing... the server must be having an issue with processing that packet.

Next up is a network baseline. Knowing what your network baseline is is important in figuring out network issues. A baseline is an understanding of what kind of latency your network usually runs at, and what you should normally expect.

If you need a site baseline, you'd probably want to record normal protocols in use, broadcast traffic, authentication sequences, and data-transfer rates. For a host baseline, record the protocols, idle and busy traffic and times, startups and shutdowns, authentication sequences, and associations and dependencies. For an application baseline, you'd want to pay attention to protocols, startup and shutdown procedures, associations and dependencies, and data-transfer rates. Depending on how busy your network might become (i.e. a bank has busiest hours during lunch time, and it dies off in late morning or when they are closed) you might want to make several baselines for different times of day. Keep your baseline secure, and make your own .pcap files of each.

Let me know what you think. Send me a comment below or email us at tips@hak5.org. And be sure to check out our sister show, Hak5 for more great stuff just like this. I'll be there, reminding you to trust your technolust.