Capturing a few million network packets is pretty easy. Then comes the challenge of finding the problem. Here we look at two techniques to inject markers into a trace at the moment a problem occurs.
Introduction
Investigating an intermittent problem is quite challenging. We have seen in earlier blogs that it's possible to run long-term captures with a tool such as dumpcap, or using any one of the high capacity capture units that you may have in your estate. We can then use a tool like Wizz to pull out the traffic for a single user, but that may still leave us with several million packets.
What we need is a signpost; some sort of indication that shows where the problem occurred. One way to make life easier is to inject a marker into the trace just after the user has experienced the problem. The marker needs to be distinctive so that we can search for it and in an enterprise environment we need to be able to do this using what we already have on the desktop.
A very simple way to generate a marker is to use a ping with a distinctive length but this isn't always appropriate. A ping requires access to a Command box, which may not be available to a user. At Advance7 we use the TribeLab Trace Marker tool which can be run from any browser.
In this video I demonstrate marking with a distinctive ping and using the TribeLab Trace Marker.
The tool is free and you can get access to it right now at http://www.tribelab.com/sonar.html. A useful feature is the ability to hide all of the settings - try http://www.tribelab.com/sonar.html?hide=true.
You can find a full user guide and short videos showing marking scenarios at https://community.tribelab.com/course/view.php?id=10. If you haven't yet joined the TribeLab community simply click on Log in and follow the prompts - it's free and we won't spam you.
Best regards...Paul