I am building a new network and I started monitoring the network using Wireshark. All the switches are Cisco SG300 52 ports switch with FW 1.0.0.27. I configured port mirroring on one of the switches so as to view communications between servers on that switch. I found that there are too many lost segments that are causing Dup Acks and fast retransmit. I checked the Speed and Duplex settings on the switch ports and the servers but they all seemed fine. Speed and Duplex are set to Auto negotiate on all ports. Flow control is disabled on the switch. The servers NICs are left as default and I believe they are all set to autonegotiate.Jumbo frames are disabled on all the ports of the switch. After seeing that I decided to isolate that switch from the network and troubleshoot. I double checked speed and duplex settings, flow control settings, edge port settings.I tried to play around by changing the settings but I still got almost 40% of packets with errors in some cases. I just don't get it. It's not between particular machines. It is happening for several machines sitting on that switch. Could that be a bad RAM or something on the switch?What other settings can I check on the switch or the computers connected to it? Any help would be much appreciated. Thanks. Vishal asked 20 Apr '12, 22:58  vishal90216 |
One Answer:
I bet you mirrored more than one port on your switch, which will usually result in something between a few and a ton of duplicate packets being recorded in your trace. Those will show up as Dup Acks, Retransmissions and other funny things. You could check if you're suffering from duplicates by comparing retransmissions to the original packets - they're identical bit by bit, while a real retransmission would at least have a different IP ID (unless the OS is using always the same ID for paranoid reasons). My advice would be to use the command line tool editcap (it is installed together with Wireshark) to remove the duplicates before trying to analyze anything with Wireshark. You could do something like this: editcap -d yourstrangecapturefile.pcap deduplicatedfile.pcap This will create a new file ("deduplicatedfile.pcap") that will be cleaned of any duplicates found in "yourstrangecapturefile.pcap". You might have to play around with the additional -D and -w parameters to get better results if some duplicates survive the procedure with default parameters. answered 21 Apr '12, 02:29  Jasper ♦♦ |
