When do we need to collect network traces?

Many Microsoft support engineers dealing with customer technical issues ask for network traces to further troubleshoot and isolate a given problem. In this post I wanted to give you an idea about when we generally ask for a network trace so that you might want to take a similar approach for similar problems.


May be we can start with the question “When do we need to collect and analyze a network trace?”


Even though the answers might vary, generally you will need to collect and analyze a network trace in the below situations:


• You need to troubleshoot network connectivity problems

• You need to troubleshoot network performance problems

• You need to troubleshoot network security problems

• You need to understand network behavior of protocols and applications for baselining or capacity planning purposes


Also you can see below some example problem types that we get from our customers where we ask for network traces:


Network connectivity problem examples:


• Web browser cannot connect to Web server

• Remote share cannot be browsed

• Event Viewer cannot connect to remote event log service

• I get ‘RPC server is unavailable’ when I initiate AD replication

• We get ‘server not found’ error when starting the XYZ application (a 3rd party app)

• Exchange server doesn’t receive e-mails from the internet

• Sharepoint portal cannot be reached from clients in a certain site

• Sharepoint server cannot retrieve data from SQL server

• SCCM server cannot communicate with the SCCM agent

• 3rd party client application cannot connect to 3rd party server application over a VPN tunnel


Network performance problem examples:


• File copy between two servers takes too long

• Download through HTTP from the internet takes is slow

• Backing up one of our file servers through the network takes too long

• We see delays in browsing our web site

• FTP file transfers are too slow between certain sites

• Windows Explorer is too slow in showing the remote share content

• SQL server query performance over the WAN connections is too slow

• Outbound e-mails queue up on Exchange Edge server

• Outlook client cannot connect to Exchange CAS servers trough a load balancer


Network security problem examples:


• We would like to understand why File server1 tries to establish a session to through TCP port 7789

• In our firewall logs, we see that certain clients try to access a certain site. Why do those clients try to access that site?

• We would like to see which process generates a specific TCP session

• We would like to see the authentication protocol that the clients use to authenticate to Server X

• Kerberos/NTLM authentication problems

• Certain SSL authentication issues

• As soon as we connect the client machine to a switchport, the switchport is disabled due to excessive traffic coming from the client. We would like to know the reason behind that


Hope this helps