We have a program for receive udp multicast broadcast, the packet rate it will receive can be up to 3000 packet/sec. ~1500bytes max. size per packet. Our situation is that we are experiencing packet loss when it hit that rate. Assuming packet never loss during network transportation, we want to know are the packets loss cause by overflow in the network card buffer, or is the network card not fast enough, and it dropped the packets? Could you please tell us how to analysis this with Wireshark? Thanks in advance. asked 02 Jan '13, 19:45 bryanevil edited 02 Jan '13, 19:47 |
One Answer:
You can't unless you span the port the servers/PCs (consumers of multicast) are spanned. Only then can you tell if you the packets made it past the egress buffers of your switch. But before you go that route, make sure your systems UDP buffers are tuned. Many OS's have fine tuned TCP buffers but the UDP buffers are left untouched. It's very likely that you will see drops in the UDP buffers during the bursts. Check with "netstat -s" to see the drops. Also, google for "udp buffer tuning" and you'll get some hits for your flavor of OS. Good luck. answered 02 Jan '13, 20:52 hansangb |
SPAN ports might not be good enough since it may drop frames in overload situations as well. I'd go for a full duplex tap here, and keep an eye on the drop counter while capturing to see if the capturing PC can cope with the number of packets.
@hansang, I converted your comment to an answer, because it is an answer ;-)
LOL! And how do you like my current Karma being at 666! And to your point about spans, I should have added that for MC troubleshooting, you don't even need RX+TX spans (the default). it's unidirectional traffic anyway. This changes if you're trying to troubleshoot MC control plane or app level feedback.