All, I recently inherited a large airport network and I'm performing Wireshark analysis to get a feel of what is being transmitted. I'm seeing a lot of Dup Acks, TCP Retransmits and Reassembling. The trace that I will post was between two computers performing a simple file transfer. The two computers are attached to the same Cisco switch, member of the same VLAN and in the same building. I'm seeing no errors or drop packets when I look at the switchport. Do I have a network issue or is it the configuration of Wireshark. Thanks https://docs.google.com/open?id=0B8IhRTPihfVvLXdDSUNLdHVmVUk asked 02 Aug '12, 09:30  tyarger |
One Answer:
First of all... almost 400MB of trace file are not exactly a good thing to post, because you can't expect anyone to take a look at that much data in detail. You should reduce trace files to a size that is showing your problem in as few packets as possible, so people will be more willing to spend their time to help you. And yes, it looks like you have a problem with lost frames that trigger fast retransmissions. The lost frames are not the real problem, because they tend to happen in any network. Unfortunately you did not capture the three way handshake, but I guess your PCs are using window scaling and quite large receive windows. Because of it when a frame gets lost it takes a while to retransmit since the sender is pushing out tons of packets due to the large window, and so the retransmission comes in late after a ton of duplicate acks. This is a quite common thing to see these days, especially since Windows Vista/7/2008/2008R2. See @landi's Sharkfest talk "A-18: Effects of Receiver-Side Window Scaling on Enterprise Networks" at http://sharkfest.wireshark.org/sharkfest.12/index.html answered 02 Aug '12, 11:27  Jasper ♦♦ edited 02 Aug '12, 11:29 I performed another trace with the three way handshake visible and a much smaller file transfer. Thanks again (02 Aug '12, 13:07) tyarger Okay, looks like your window scaling factor is 8, which means that the window size is multiplied by 256. In your case it means that your receiver advertised a buffer of almost half a megabyte. When the packet gets lost the sender has already pushed out a lot of data, which leads to the fast retransmission trailing in after tons of dupe acks. I think your network isn't performing bad, you just loose a packet here and there, and because of the large window the retransmission takes a while to come in. (02 Aug '12, 15:15) Jasper ♦♦ |
I apologize for the large file. I was in a hurry and didn't apply the proper filters. I appreciate your help. I'll perform another capture and post with the three way handshake.