I’m going to start sharing little techie tidbits that require me to go scour the Internet for exactly how to do them, in hopes of making you able to do it in a lot less time than it took me!
So I’m having trouble with connection times spiking to an Amazon Web Services ELB, so it’s time to break out the tcpdump to take packet traces and the wireshark (was ethereal long ago) to analyze it. I’m on OSX El Capitan (10.11.6).
tcpdump comes on OSX (or if it doesn’t, something installed it without me knowing!). Step one is figure out what network interface you want to dump. This will list all your network interfaces.
Then, run a packet trace on that interface. I’m using en0 the primary wireless interface, so I run:
sudo tcpdump -i en0 -s 0 -B 524288 -w ~/Desktop/DumpFile01.pcap
I go to another window and hit the URL I’m having trouble with – you can use whatever, but I used ab (Apachebench) which comes with OSX. Other popular URL-hitters you might install are curl, wget, and siege.
ab -n 10 http:///
Then come back and control-C out of the tcpdump capture. Now I have a network dump of me hitting that URL (plus whatever other shenanigans my computer was up to at the time, so there’s probably a lot of noise in there from chat clients etc.).
Now to analyze it – wireshark. I had to go a couple rounds with the installation.
If you want the UI you need to install it as:
brew install wireshark --with-qt
(If you just install wireshark without –with-qt you don’t get wireshark, you get a command line called tshark, and then you need to reinstall…) For this, as with most things, you need Xcode or at least the Xcode command line tools (I always just install the tools). You install them with:
But if you have an older version (<8.2.1) the wireshark build will fail. To update the command line tools, you… Apparently you don’t any more. The App Store doesn’t offer Command Line Tools updates and Apple has gotten more unclear and squirrelly about whether they’re even a thing. So I just installed full XCode from the App Store, whatever, it’s just network and disk space and contributing to the heat death of the universe, but I’m not bitter, and then it builds.
Optionally if you want to capture from within wireshark on your local box instead of having to tcpdump separately also do
brew cask install wireshark-chmodbpf
But to analyze your tcpdump file just run
And load in the capture file. The quickest way to then sort into what you want is to find one part of a transaction of interest – like in my case by filtering on “http” or just looking around – and then right-clicking on one packed and saying “Follow… HTTP stream” and you get a whole transaction end to end.
And now you test out your TCP/IP network admin knowledge by rooting through and seeing if you can find what’s going wrong!