If you manage a network, you will be asked one of the most frustrating IT questions of all time: “Why is our network slow?” Sometimes this question is easily answered by calling your provider and hoping the issue is on their end. If it’s not, then your job just became infinitely more challenging. There are a number of tools that will help you find out what is causing the network bottlenecks and where the problem originates, but I think the most cost-effective option for small businesses is Wireshark.

Wireshark comes with a slew of features, and one of the handiest ones is the ability to quickly create filters in real-time as it scans the network; this makes it incredibly easy to troubleshoot what is causing bandwidth problems on your network. Once you figure out what is causing the bottleneck, you can act upon it to resolve your issue.

I’ll walk you through the process of installing Wireshark to using it for filtering. In the end, you should know how to troubleshoot what is happening with your network bandwidth.

Installing Wireshark

The Wireshark installation on Windows 7 requires the winpcap library; you won’t need to install this separately, as the Wireshark installation wizard will take care of the task. To install on a Windows 7 machine, follow these steps:

  1. Download the installer associated with your platform and architecture.
  2. Double-click the downloaded file.
  3. Walk through the install wizard, paying close attention to make sure winpcap is installed and started at boot time.

You should be able to start Wireshark by going to Start | All Programs | Wireshark. When Wireshark first starts up, you will be greeted by the main window (Figure A).
Figure A

Wireshark’s clean interface has a lot to offer users. (Click the image to enlarge.)

To start a capture, follow these steps:

  1. Click Interface List.
  2. Select the interface to be used (Figure B).
  3. Click Start.

Figure B

I have one interface seeing packets already, so I’ll select that one. (Click the image to enlarge.)

The capture will begin, and color-coded packets should start flying by (Figure C). If you want to save this capture for later viewing, follow these steps:

  1. Go to Capture | Stop.
  2. Go to File | Save.
  3. Give the capture a name.
  4. Click Save.

Figure C

The color-coding makes it easier to read the packets as they fly by. (Click the image to enlarge.)

Since we’re troubleshooting, we want to work with live captures, so keep this baby running.

Filtering protocols

The easiest way to troubleshoot these types of problems is to filter the protocols. Wireshark makes this incredibly easy — you don’t even have to create filters, you simply view the protocol hierarchy and look for anything suspicious. Here’s how:

  1. With the capture running, go to Statistics | Protocol Hierarchy.
  2. After the hierarchy builds, scan through the resulting window for anything suspect (Figure D).
  3. When you find something that seems untoward, right-click that entry and select Apply As Filter | Selected.

Wireshark will only display the packets it sees that apply to the newly created filter. You can clear that filter by clicking the Clear button. If that protocol isn’t the issue, go back to the hierarchy and try again. Most likely, if you’re having an Internet bottleneck due to an abundance of traffic, you will see it here.

Figure D

Scan through this entire hierarchy, paying close attention to P2P traffic and other protocols that are known to cause issues. (Click the image to enlarge.)

Once you locate the issue through Wireshark, you can act on the new information. This quick action should enable you with all of the power you need to troubleshoot your networking issues.

More about Wireshark on TechRepublic