Troubleshoot slow network problems with Network Traffic Analysis (NTA)

One of the most vague issues to land on any network administrator’s desk is users complaining that the network is slow. In most cases, the network is not to blame; instead, the user is experiencing issues with a slow application or website. However, it is often the responsibility of network admins to troubleshoot slow network issues and prove that it is not the network.

The first thing you will need is a data source, so you can find out what is happening on your network. You can use technologies such as flow analysis or packet capture. Packet capture typically provides the greatest detail, but you need to ensure you set it up in the right places on the network. To learn more about how to monitor network traffic and pick the most important points to focus on, visit this page.

The next thing you need is a network traffic monitoring tool that can report on real-time and historical network use. This is critical when it comes to troubleshooting slow network issues. You need to be able to compare what is happening when the network is running slow versus what was happening when the network was running without issues.

Check overall traffic volumes

If the user complaints are coming from a remote office, start by checking traffic volumes on the link first. If the complaints are coming from users on the local LAN, we recommend focusing on all network activity.
The first thing to look at is the ratio of TCP to UDP traffic. A normal network will have over 80% of TCP traffic. If UDP protocols are using your bandwidth, check the data from the previous day and see if it is something new. Excessive UDP traffic can be a sign of a DDoS attack or overuse of media streaming. Issues such as these can slow down a network.

Find the top applications consuming bandwidth

Next up, check for the most active applications. For most networks, activity like file sharing, web, or database activity ranks highest during business hours. If you see something like backup running during the day or large data replications between servers, it can be the source of network slowdowns.

Check for network broadcast issues

A broadcast storm can slow down a network within seconds. All it takes is for one rogue device to send out a few hundred megabytes of broadcast data, and suddenly your LAN will be saturated with broadcast packets. A quick way to look for this activity is to filter on network packets that have ff:ff:ff:ff:ff:ff as a destination MAC address.

You should also take a look at multicast traffic. It is less problematic than broadcast traffic, but worth checking if you are trying to troubleshoot slow network problems. Use a filter to show traffic associated with the destination IP range 224.0.0.0/4.

Watch out for excessive connection rates

Firewalls and layer 3 devices such as routers can struggle if connection rates increase significantly on a network. If clients start disconnecting from websites or services hosted on the other side of routers, it is worth checking this metric.

Summary

There are many ways to troubleshoot slow network problems, and we haven’t covered them all in this post. However, by using this approach, monitoring network traffic, and comparing what happens during a network slowdown against times when the network is running normally, you’ll find the root cause of network problems in most cases.

See Network Traffic Analysis in action in InsightIDR

Watch the Demo