Why is this network slowing down my machine?
October 18, 2019 1:01 PM Subscribe
I'm currently working as a contractor on a cruise ship, working with their audio systems. There is one main "control" network which connects all audio computers, consoles, and some affiliated lighting control systems which is causing major issues with my computer.
When I connect to this network via the WAP in the theatre my computer gets incredibly sluggish. It takes 5-10 times longer than usual to load programs. External drives refuse to mount until I disconnect from the network, the mouse will hang for 5 seconds.
I've done a Wireshark sniff of the network and nothing seems too wildly out of place, except for some ARP commands from devices looking for a gateway in a different subnet. These would appear to be some sort of IP-based KVM extenders that no one knows the location of.
Based on some of these behaviors I expected to see some sound equipment (wireless microphone receivers) that are notorious for broadcasting thousands of packets a second and destroying a network, but I haven't found them.
I'm completely locked out of doing any maintenance on this network and doing any sort of troubleshooting aside from the firewall settings on my own computer, which seem to be doing nothing.
I'm not seeing any CPU or memory usage that corresponds to connecting to this network, but SOMETHING must be going on.
My question is - what the hell is going on? And are there any firewall and/or other network settings that I can tweak to try and troubleshoot/solve this issue at least on my own computer?
Running MacBook Pro 2015, and macOS 10.14.5
When I connect to this network via the WAP in the theatre my computer gets incredibly sluggish. It takes 5-10 times longer than usual to load programs. External drives refuse to mount until I disconnect from the network, the mouse will hang for 5 seconds.
I've done a Wireshark sniff of the network and nothing seems too wildly out of place, except for some ARP commands from devices looking for a gateway in a different subnet. These would appear to be some sort of IP-based KVM extenders that no one knows the location of.
Based on some of these behaviors I expected to see some sound equipment (wireless microphone receivers) that are notorious for broadcasting thousands of packets a second and destroying a network, but I haven't found them.
I'm completely locked out of doing any maintenance on this network and doing any sort of troubleshooting aside from the firewall settings on my own computer, which seem to be doing nothing.
I'm not seeing any CPU or memory usage that corresponds to connecting to this network, but SOMETHING must be going on.
My question is - what the hell is going on? And are there any firewall and/or other network settings that I can tweak to try and troubleshoot/solve this issue at least on my own computer?
Running MacBook Pro 2015, and macOS 10.14.5
Can you run "top" while connecting to the network to see if something jumps to the top of the process stack? If it's not network IO maybe its disk?
posted by pilot pirx at 1:47 PM on October 18, 2019
posted by pilot pirx at 1:47 PM on October 18, 2019
Can you connect wired? even if only long enough to see if the problem exists there as well?
posted by at at 2:18 PM on October 18, 2019 [2 favorites]
posted by at at 2:18 PM on October 18, 2019 [2 favorites]
Also, you might try a USB wifi card rather than the built-in airport, in case it's some weird edge case with the driver and the AP or something else on the network.
Anything showing up in Console's logs?
posted by snuffleupagus at 2:24 PM on October 18, 2019
Anything showing up in Console's logs?
posted by snuffleupagus at 2:24 PM on October 18, 2019
Could it be network discovery? I know any time I've tried to use osx to browse a windows based network with any decent size, it isn't joyful.
Preferences > Security > Firewall: On > Firewall Options > Enable Stealth Mode (don't respond to other devices saying hello)
Preferences > Sharing > Turn everything off.
Might be worth making your IP static-- you're using Wireshark so you probably know your way around, so just check what your DHCP has been set to, then just set the same settings as static values.
But, yeah-- seems real odd! Good luck!
posted by Static Vagabond at 3:09 PM on October 18, 2019
Preferences > Security > Firewall: On > Firewall Options > Enable Stealth Mode (don't respond to other devices saying hello)
Preferences > Sharing > Turn everything off.
Might be worth making your IP static-- you're using Wireshark so you probably know your way around, so just check what your DHCP has been set to, then just set the same settings as static values.
But, yeah-- seems real odd! Good luck!
posted by Static Vagabond at 3:09 PM on October 18, 2019
Are your programs looking for updates on load? Having an active network could cause you to wait for a DNS timeout (are you seeing unanswered DNS requests?) whereas it immediately fails when there's no network.
This sounds like name resolution issues to me.
posted by bfranklin at 3:30 PM on October 18, 2019
This sounds like name resolution issues to me.
posted by bfranklin at 3:30 PM on October 18, 2019
Response by poster: Hmmmmm. I have tried all of these with no success except for the wired connection as the infrastructure doesn’t allow for it. I will say this: other computers on the network are suffering similar latency issues.
I’ve been in contact with the company in Germany that designed this system and their answer has basically been “huh, that shouldn’t be happening”.
My suspicion is that someone bridged multiple networks together that shouldn’t have been bridged, but the Wireshark doesn’t support that idea - the devices trying to phone home to a different subnet are addressed properly within this subnet, just looking for a path to a different subnet through a router that doesn’t exist it would seem.
Thanks for the ideas so far. I was hopeful about the Stealth Mode, but alas.
posted by aloiv2 at 4:26 PM on October 18, 2019
I’ve been in contact with the company in Germany that designed this system and their answer has basically been “huh, that shouldn’t be happening”.
My suspicion is that someone bridged multiple networks together that shouldn’t have been bridged, but the Wireshark doesn’t support that idea - the devices trying to phone home to a different subnet are addressed properly within this subnet, just looking for a path to a different subnet through a router that doesn’t exist it would seem.
Thanks for the ideas so far. I was hopeful about the Stealth Mode, but alas.
posted by aloiv2 at 4:26 PM on October 18, 2019
I don't know what would account for sluggishness of your computer other than your ram being used, your CPU being used, or possibly your disk being really busy. Top really ought to be able to tell you what's eating your resources.
Maybe run iotop as well to check on disk accesses.
posted by signsofrain at 5:08 PM on October 18, 2019
Maybe run iotop as well to check on disk accesses.
posted by signsofrain at 5:08 PM on October 18, 2019
If you try 'traceroute www.metafilter.com', does it resolve straight, or flutter about?
Could something be pretending to be a DNS resolver, but not actually deilvering?
posted by nickggully at 6:11 PM on October 18, 2019
Could something be pretending to be a DNS resolver, but not actually deilvering?
posted by nickggully at 6:11 PM on October 18, 2019
Can you disconnect network nodes one by one, until you find that your computer starts working normally? Or, better yet, disconnect half of them, and see if that fixes your problem. If so, reconnect half of the half, and keep doing this until you find the one that's problematic.
posted by alex1965 at 6:19 PM on October 18, 2019
posted by alex1965 at 6:19 PM on October 18, 2019
If it's really interfering with disk access or your mouse, that sounds like some sort of interrupt from frames your Wifi card is receiving. (Not that that sounds like a likely event, but here we are.) Wireshark will only capture Ethernet frames, not 802.11 frames. You could try sniffing 802.11 frames on your Mac (the CLI instructions didn't capture anything for me, I had to use the "Use a GUI" method to get anything). Wireshark will then open the .pcap that is created (after you copy it from /var/tmp to a directory Wireshark is willing to look into. sigh)
I'm out of my depth at that point, but on the busy (lots of apartments) 2.4 Ghz spectrum near me I'm seeing about 60 beacon/probe response frames a second - I'd expect that if there's enough noise to mess with your system you would be looking at thousands/sec of whatever garbage is flying through the air around you.
posted by five toed sloth at 6:21 PM on October 18, 2019 [2 favorites]
I'm out of my depth at that point, but on the busy (lots of apartments) 2.4 Ghz spectrum near me I'm seeing about 60 beacon/probe response frames a second - I'd expect that if there's enough noise to mess with your system you would be looking at thousands/sec of whatever garbage is flying through the air around you.
posted by five toed sloth at 6:21 PM on October 18, 2019 [2 favorites]
Nth-ing top -o cpu -O status .
I’d suspect dns, which you eliminated, something non-WiFi stomping on the ISM band, which you may have looked for, and stupid AP configuration .
Were you capturing in monitor mode so that you can see the rssi and any noise problems? Or does the problem not exist in the same place when you are connected to networks other than the control?
Will it stay fast if you firewall off the default gateway and dns before connecting? Or allow only networks local to the ship? little snitch is great for this. It could point to a strange mtu set on the back haul that doesn’t play nice with a satellite link, or hidden NAT/proxies with bad configuration. Or apps like Dropbox that may be caching connection data and slowing down your filesystem when updates fail.
On a normal ship, I’d look for faraday cages or hidden nodes caused by a hatch closing. Probably not on cruise ships.
posted by unknown knowns at 6:45 PM on October 18, 2019
I’d suspect dns, which you eliminated, something non-WiFi stomping on the ISM band, which you may have looked for, and stupid AP configuration .
Were you capturing in monitor mode so that you can see the rssi and any noise problems? Or does the problem not exist in the same place when you are connected to networks other than the control?
Will it stay fast if you firewall off the default gateway and dns before connecting? Or allow only networks local to the ship? little snitch is great for this. It could point to a strange mtu set on the back haul that doesn’t play nice with a satellite link, or hidden NAT/proxies with bad configuration. Or apps like Dropbox that may be caching connection data and slowing down your filesystem when updates fail.
On a normal ship, I’d look for faraday cages or hidden nodes caused by a hatch closing. Probably not on cruise ships.
posted by unknown knowns at 6:45 PM on October 18, 2019
Follow up questions -- are you only dumping ethernet packets, or are you also pulling the 802.11b/g/n control frames? Also, are you physically plugged in to a power source when connecting to wireless? I've seen power saving features queue and delay packets.
posted by bfranklin at 6:27 AM on October 19, 2019 [2 favorites]
posted by bfranklin at 6:27 AM on October 19, 2019 [2 favorites]
Response by poster: Of course as soon as I post this the satellite internet on the ship starts getting throttled to hell. But we go through the Panama Canal tomorrow, which will be cool for a transit nerd like myself!
There have been some interesting developments regarding 802.11 control frames (thanks for the pointer bfranklin). There are roughly 10,000-15,000 QoS frames that Wireshark is identifying as “Bad TCP”. They are sourcing to some Asus device on the network that we are trying to track down.
I’m not exactly sure what I’m seeing with them as I know that packets can be marked with their QOS priority tag (maybe the wrong terminology), but I guess I don’t know what this means. Don’t have the bandwidth to post a screen cap, but the info on Wireshark reads as:
Protocol: 802.11
Length: either 1200 or 656
Info: QoS Data, SN [number increases every time], FN=0, Flags=.p..R.F..
I seem to be able to load simple websites (like MeFi), but I can’t really do any more research on this, but it’s been sent on.
Thanks again for all the tips folx.
posted by aloiv2 at 11:34 AM on October 21, 2019 [1 favorite]
There have been some interesting developments regarding 802.11 control frames (thanks for the pointer bfranklin). There are roughly 10,000-15,000 QoS frames that Wireshark is identifying as “Bad TCP”. They are sourcing to some Asus device on the network that we are trying to track down.
I’m not exactly sure what I’m seeing with them as I know that packets can be marked with their QOS priority tag (maybe the wrong terminology), but I guess I don’t know what this means. Don’t have the bandwidth to post a screen cap, but the info on Wireshark reads as:
Protocol: 802.11
Length: either 1200 or 656
Info: QoS Data, SN [number increases every time], FN=0, Flags=.p..R.F..
I seem to be able to load simple websites (like MeFi), but I can’t really do any more research on this, but it’s been sent on.
Thanks again for all the tips folx.
posted by aloiv2 at 11:34 AM on October 21, 2019 [1 favorite]
An Asus device is likely going to be a SOHO router. They bundle their own "adaptive QOS" which might be screwing things up.
I was thinking maybe someone had put up their own subnet, but then I'd think you wouldn't see the control frames on the upstream network. But my hardware/radio level wifi knowledge is vague.
posted by snuffleupagus at 11:42 AM on October 21, 2019
I was thinking maybe someone had put up their own subnet, but then I'd think you wouldn't see the control frames on the upstream network. But my hardware/radio level wifi knowledge is vague.
posted by snuffleupagus at 11:42 AM on October 21, 2019
« Older Have Dinner Ingredients; Will Travel | Help me navigate small-group travel in the modern... Newer »
This thread is closed to new comments.
posted by JoeZydeco at 1:42 PM on October 18, 2019