The bottom line is, of course, how to analyze the HTTP problems. This is what this recipe is all about. HTTP problems can happen because of a slow server or client, TCP performance issues, and some other reasons that we will see in this recipe.
When you experience bad performance while browsing the Internet, connect the Wireshark with port mirror to the PC that experiences the problem, and when it is the whole network that suffers from bad performance, port mirror the connection to the Internet.
There can be various reasons for a slow browsing problem, and we'll try to figure it out step-by-step. The steps are given as follows:
Don't forget to look at the network and IT environment as a whole. You cannot separate TCP from HTTP, or the DNS problems from the slow browsing of applications. It can be that you have a very slow HTTP server; and because of its slow responses, you will get TCP retransmissions. Or, because of the slow DNS server, you will get a web page that opens after many seconds. Just go step- by-step and isolate the problems.
When you open a web page for the first time, it can take a few seconds. In this case, you should check the following conditions:
http.response >= 400
and see how many errors you get. In the following sections, we see several examples of what you should pay attention to.A simple example for a client error is presented in the following screenshot. To get to this window, perform the following steps:
/poker-client/broadcast.htm
(marked as 1 and 3 in the preceding screenshot)http://www.888poker.com/poker-client/promotions.htm
(marked as 2 in the preceding screenshot)Just to clarify things, I was not playing Poker, I was working on a networking problem.
You can get service unavailable (code 503
) status due to various reasons. In the following example there is a small office that has the following complaint: they can browse Facebook, but the moment they click on a link on this site, they get the new page as blocked. In the following screenshot, you can see that the problem was simply a firewall that blocked it (obviously).
In standard HTTP browsing, you should see a very simple pattern as follows:
GET
command.In most cases, opening a web page will open multiple connections—in many cases, tens of them. For example, when you open a newspage (www.cnn.com, www.foxnews.com, www.bbc.co.uk), it opens the main page, news bars, commercials, temperature window, connections to other sites, and more. Don't be surprised if a single page will open nearly a hundred connections, or even more.
In case of a web page that opens multiple connections (as most web pages do), each connection requires a DNS query, response, TCP SYN-SYN/ACK-ACK, and HTTP GET; only then the data will start to appear on your screen.
When you don't see anything in the packet details pane, right-click on a packet and choose Follow TCP stream. This will give you a detailed window, (as in the preceding screenshot) which provides you with a lot of data for the connection.
Another tool that is widely used for HTTP is Fiddler. It can be found at http://fiddler2.com/. Fiddler is a free tool that is planned for HTTP debugging. It is not in the scope of this book.
18.226.82.78