Resolution to a very slow network

For some reason I have a very slow network (~10kbps over a 100mbps network). It only happens in office hours which leads me to believe that someone is bottlenecking the network. I need to find out who it is. I have approximately 60 nodes on the network and all PCs are connected to a main switch which then connects to our main router. I am interested in any suggestions on how to find out the cause of this very slow network. I have heard of using wireshark but I am not sure how to use it at all so any suggestions would be very helpful and links to any resources where I could learn would be invaluable. Thanks in advance.

Anthony Broadbent

Posted 2015-10-09T09:27:37.460

Reputation: 103

1Turn off the router and see who complains about utorrent not working ;) – DavidPostill – 2015-10-09T10:46:07.310

Possible duplicates: Monitor and control internet traffic in a small office, Software to monitor internet usage, Desktop Internet traffic measurement software and PC based router/gateway that supports Lawful Intercept?

– DavidPostill – 2015-10-09T10:51:58.560

Horses for courses. Wireshark is not an appropriate tool to use as the first step in diagnosing performance issues. Looking at basic traffic stats and counters on your router is the place to start. – qasdfdsaq – 2015-10-09T11:46:05.860

@DavidPostill, good reply I like it, ive also had a look at the links and there is some good advice. – Anthony Broadbent – 2015-10-09T12:56:50.297

@qasdfdsaq I probably should have said but the internet connection is working fine. If I plug a device into the router there is no speed issue. This is just on the internal network. – Anthony Broadbent – 2015-10-09T12:56:54.200

In that case (sorry, everyone else seems to have assumed internet-related problem) start off with basic network diagnostics. Between which points is it slow? What is the latency, packet loss, link rate and mode and other basic performance figures? – qasdfdsaq – 2015-10-09T16:16:36.850

Could it be an ARP storm or something like that, which only affects the LAN? That should be visible without any additional setup by just sniffing LAN traffic, as the issue would be caused by excess broadcast traffic flooding the LAN.

– zagrimsan – 2015-10-10T13:08:17.553

Answers

Via wireshark you normaly catch only communication that belongs to your network card. If you want to see all the communication in network than you need to have a network card with promiscuous mode. Most of the cards can't work in this mode. If you have such one then you can use wireshark to sniff all the communication but then if it is wired connection to switch you need to be connected in some place where you can catch all the communication - which means in your case it is between router and switch.

Another approach (and first things i would try) is to check administration in the router or in the switch if it doesn't provide enough information there. Depends on the type you have there.

There are also other usefull apps for network monitoring. See the following link: http://www.techrepublic.com/blog/five-apps/five-free-dead-easy-ip-traffic-monitoring-tools/ The Colasoft Capsa seems to be exactly what you want.

Anyway, I am sorry I am not very specific here but it is a general question so it requires general answer.

bujon

Posted 2015-10-09T09:27:37.460

Reputation: 126

Switches don't usually (ever?) pass the traffic of other nodes to any single node unless that node is connected to a port that is set to a "monitor" status or something like that. Thus you can't see the traffic of others even if the NIC is set to promiscuous mode (except for broadcasts). With hubs it's a different story, but having 60 nodes behind a hub would itself be a recipe for slow network :) – zagrimsan – 2015-10-09T11:52:56.560

@zagrimsan: That's why he specifically said the computer has to be between the router and the switch. – qasdfdsaq – 2015-10-09T16:15:47.937

@qasdfdsaq True, but for someone who doesn't know how switches (and routers) work, that might seem to mean that they can add e.g. a desktop switch between the switch and the router and sniff from there, which would not work. The most hassle-free option would anyway be to configure the switch or the router so that they mirror all traffic to a spare port where the sniffer is listening. Putting a box between the two devices would require two NICs and configuring the networking accordingly, which to me sounds like a more complex task. – zagrimsan – 2015-10-10T13:04:01.790