How to pinpoint which process/activity/software/protocol is slowing down LAN on a single computer

Question

From this question about debugging our business LAN I've been able to pinpoint a single computer which slows down our network.

When the computer is turned on and connected to the network, roughly 5% of all site interactions (that is, clicks on links in a website) are slowed down to a great extent, sometimes rendering a page after 40 seconds instead of the regular one or two seconds.

When we disconnect the computer, network load goes smoothly.

We have a managed Cisco catalyst switch, a Cisco ASA-5505 firewall, as well as some monitoring tools (wireshark and nmap).

The computer serves as a photo server (using iPhoto) and transmits some information between the computers of our network.

How can I trace down and/or monitor my network or computers activity in a way that will allow me to know, on a single definite computer connected to the network, what process/protocol/activity is slowing the network?

One way might be to run Microsoft Network Monitor on the machine and look at the process or processes responsible for the most network traffic. — joeqwerty, Nov 26 '14 at 17:57
@warren most machines use Mac OS 10.6 or higher, we have one windows box. the supposedly confilcting computer is running mac OS X — Félix Gagnon-Grenier, Dec 01 '14 at 19:41

Kyle Brandt · Accepted Answer · 2014-11-26T18:18:27.020

When it comes to a single computer, generally you want to get a packet capture and then do some analysis on the packet capture that includes things like:

Protocol Breakdown
Packets Per second
Top senders receivers etc

I recommend using wireshark or maybe Microsoft Network Monitor. With Network Monitor you will get a process breakdown of the capture which can be helpful (If you happen to be on Windows):

enter image description here

You probably want to run it with admin privileges for this.

It is also possible the NIC is malfunctioning. So check the packet rates and various error counters on the switch side for that interface. You could also monitor the switchport by using your switch's "port monitor" functionality. If something like this is going on, I would expect the LAN to get slow (i.e. computer to computer) and not just the Internet.

score 3 · Answer 2 · answered Nov 26 '14 at 23:29

You do not mention OS of the problematic machine? So I'll answer from perspective of GNU/Linux distribution (like Debian), although part of the answer is multiplatform.

As mentioned, iptraf(8) or Wireshark will tell you what IPs/ports are problematic, but not what application generated them. You might be able check that with netstat(8):

netstat -tupn

(it will show you which ports are used by which program, but usually only if those are longer lived connections).

However, I'd recommend tools like ntop to get easier overview.

Also, ifconfig(8) will tell you if there are any errors, carrier, overrun problems etc. If there are, try changing cable, port on the switch or (in the end) network card (or its drivers) in problematic machine.

score 2 · Answer 3 · answered Nov 27 '14 at 00:53

You speak about the computer being an iPhoto server, I suspect that you have iCloud enabled or another similar cloud backup in this system that is uploading your whole library of photos. And by saturating the upload it's stalling some of the downloads because some tcp ack packets get lost. That would explain your 800gb.

I would get a packet capture with wireshark to see where is the data going, and then look for the culprit.

score 1 · Answer 4 · answered Nov 27 '14 at 06:55

The router/firwall I use are Mikrotik and the screen cap below is from a tool called Torch on my Mikrotik router. I am unsure how you would do this in Cisco but I have to believe there is an analog.

As shown in the image, I'm filtering traffic on my LAN interface (ether-2) whose source is 192.x.x.7. In this case I'm keeping connections for 30s after they close (Entry Timeout value) but in a case like yours might set that as high as a couple of hours. The most interesting info is the dst ip address and port.

Using a tool like this right on the router I can see exactly how much traffic is getting sent/received per host:port and protocol. Since you've already identified the problem machine, I'd filter to that machine's IP (as I've done in the image). Then, sorting by Rx Rate you'd see the biggest uploads happening and what port they are both coming from and going to. Using well known ports I can narrow down to what application is causing it. If not a well know port or for whatever reason, you can run a netstat on the machine to see what application is using that port (different OS use diff switches so just look it up or specify your OS and I'll try to answer.)

This is a lot quicker/easier than capturing frames in wireshark (and needing a hub or promiscuous port to do so) then analyzing them and in many cases this will get you your answer or most of the way there.

I don't have enough rep points to attach the image so here's a link to grab it off my server: https://gofile.me/2dNUM/226jmtoI

Sorry for having to cover up so much of the info but I think you'll get the idea.

Just to add a bit more - some quick googling seems to suggest a product called LMS or another called SFlow will have similar functionality to Torch but in Cisco land. HTH. — JoelAZ, Nov 27 '14 at 19:12
thanks man. I appreciate this. Still in the dark but getting closer. — Félix Gagnon-Grenier, Nov 28 '14 at 23:28

How to pinpoint which process/activity/software/protocol is slowing down LAN on a single computer

How can I trace down and/or monitor my network or computers activity in a way that will allow me to know, on a single definite computer connected to the network, what process/protocol/activity is slowing the network?

4 Answers4

Linked