I’m going to start sharing little techie tidbits that require me to go scour the Internet for exactly how to do them, in hopes of making you able to do it in a lot less time than it took me!
So I’m having trouble with connection times spiking to an Amazon Web Services ELB, so it’s time to break out the tcpdump to take packet traces and the wireshark (was ethereal long ago) to analyze it. I’m on OSX El Capitan (10.11.6).
tcpdump comes on OSX (or if it doesn’t, something installed it without me knowing!). Step one is figure out what network interface you want to dump. This will list all your network interfaces.
Then, run a packet trace on that interface. I’m using en0 the primary wireless interface, so I run:
sudo tcpdump -i en0 -s 0 -B 524288 -w ~/Desktop/DumpFile01.pcap
I go to another window and hit the URL I’m having trouble with – you can use whatever, but I used ab (Apachebench) which comes with OSX. Other popular URL-hitters you might install are curl, wget, and siege.
ab -n 10 http:///
Then come back and control-C out of the tcpdump capture. Now I have a network dump of me hitting that URL (plus whatever other shenanigans my computer was up to at the time, so there’s probably a lot of noise in there from chat clients etc.).
Now to analyze it – wireshark. I had to go a couple rounds with the installation.
If you want the UI you need to install it as:
brew install wireshark --with-qt
For this, as with most things, you need Xcode or at least the Xcode command line tools (I always just install the tools). You install them with:
But if you have an older version (<8.2.1) the wireshark build will fail. To update the command line tools, you… Apparently you don’t. The App Store doesn’t offer Command Line Tools updates. So you need to install full XCode from the App Store, then it builds.
Optionally if you want to capture from within wireshark on your local box instead of having to tcpdump separately also do
brew cask install wireshark-chmodbpf
But to analyze your tcpdump file just run
And load in the capture file. The quickest way to then sort into what you want is to find one part of a transaction of interest – like in my case by filtering on “http” or just looking around – and then right-clicking on one packed and saying “Follow… HTTP stream” and you get a whole transaction end to end.
And now you test out your TCP/IP network admin knowledge by rooting through and seeing if you can find what’s going wrong!