This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tcp/ftp performance

0

Trying to follow a ftp stream and figure out why transferring the same file to different machines have different finish times. the FTP-DATA bytes show 32768, but if you add the acknowledgement numbers, the byte count does not add up. I could be totaly off base so I am asking the experts I am assuming the value of example: packet 151 - 156, I would subtract the last ack value packet 154 from ack value of packet 151. The ftp amount of data bytes sent was 52442 in packet 152.

Packet  Time    Source  Destination Protocol    Length  Info
139 10.187547   x-server    Y--client   TCP 62  ftp-data > 15943 [SYN] Seq=0 Win=8192 Len=0 MSS=4034 SACK_PERM=1
140 10.187632   Y--client   x-server    TCP 62  15943 > ftp-data [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=4034 SACK_PERM=1
142 10.187831   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=1 Win=64544 Len=0
143 10.203807   Y--client   x-server    FTP-DATA    8122    FTP Data: 8068 bytes
144 10.204378   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=8069 Win=64544 Len=0
145 10.204398   Y--client   x-server    FTP-DATA    16190   FTP Data: 16136 bytes
146 10.204932   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=24205 Win=64544 Len=0
147 10.204946   Y--client   x-server    FTP-DATA    8618    FTP Data: 8564 bytes
148 10.205625   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=32769 Win=64544 Len=0
149 10.228625   Y--client   x-server    FTP-DATA    32822   FTP Data: 32768 bytes
150 10.228678   Y--client   x-server    FTP-DATA    8122    FTP Data: 8068 bytes
151 10.229349   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=69571 Win=64544 Len=0
152 10.229383   Y--client   x-server    FTP-DATA    52496   FTP Data: 52442 bytes
153 10.23007    x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=85707 Win=48408 Len=0
154 10.230071   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=117979 Win=16136 Len=0
155 10.230084   Y--client   x-server    FTP-DATA    5080    FTP Data: 5026 bytes
156 10.230421   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=126047 Win=8068 Len=0
157 10.230832   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=131073 Win=3042 Len=0
159 10.321455   x-server    Y--client   TCP 60  [TCP Window Update] ftp-data > 15943 [ACK] Seq=1 Ack=131073 Win=64544 Len=0
160 10.321496   Y--client   x-server    FTP-DATA    60564   FTP Data: 60510 bytes
161 10.321526   Y--client   x-server    FTP-DATA    4088    [TCP Window Full] FTP Data: 4034 bytes
162 10.321895   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=147209 Win=64544 Len=0
163 10.321906   Y--client   x-server    FTP-DATA    1046    FTP Data: 992 bytes
164 10.321964   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=155277 Win=64544 Len=0
165 10.32211    x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=171413 Win=64544 Len=0
166 10.322134   Y--client   x-server    FTP-DATA    32822   FTP Data: 32768 bytes
167 10.322281   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=187549 Win=64544 Len=0
168 10.322406   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=196609 Win=64544 Len=0
169 10.322428   Y--client   x-server    FTP-DATA    28292   FTP Data: 28238 bytes
170 10.322531   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=208711 Win=64544 Len=0
171 10.322543   Y--client   x-server    FTP-DATA    4584    FTP Data: 4530 bytes
172 10.322871   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=224847 Win=64544 Len=0
173 10.322872   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=237445 Win=64544 Len=0
174 10.322872   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=253581 Win=64544 Len=0
175 10.322894   Y--client   x-server    FTP-DATA    32822   FTP Data: 32768 bytes
176 10.32324    x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=262145 Win=64544 Len=0
177 10.32326    Y--client   x-server    FTP-DATA    28292   FTP Data: 28238 bytes
178 10.323601   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=274247 Win=64544 Len=0
179 10.323602   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=290383 Win=64544 Len=0
180 10.323603   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=294913 Win=64544 Len=0
181 10.323624   Y--client   x-server    FTP-DATA    36360   [TCP Window Full] FTP Data: 36306 bytes
182 10.323968   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=311049 Win=64544 Len=0
183 10.323969   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=319117 Win=64544 Len=0
184 10.323979   Y--client   x-server    FTP-DATA    1046    FTP Data: 992 bytes
185 10.32431    x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=335253 Win=64544 Len=0
186 10.324311   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=343321 Win=64544 Len=0
187 10.324312   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=360449 Win=64544 Len=0
188 10.324333   Y--client   x-server    FTP-DATA    32822   FTP Data: 32768 bytes
189 10.324393   Y--client   x-server    FTP-DATA    28292   FTP Data: 28238 bytes
190 10.324804   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=372551 Win=64544 Len=0
191 10.324815   Y--client   x-server    FTP-DATA    4584    FTP Data: 4530 bytes
192 10.325138   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=388687 Win=64544 Len=0
193 10.325139   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=405319 Win=64544 Len=0
194 10.32514    x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=417421 Win=64544 Len=0
195 10.325161   Y--client   x-server    FTP-DATA    32822   FTP Data: 32768 bytes
196 10.325508   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=425985 Win=64544 Len=0
197 10.325641   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=438087 Win=64544 Len=0
198 10.325642   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=454223 Win=64544 Len=0
199 10.326086   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=458753 Win=64544 Len=0
200 10.328562   Y--client   x-server    FTP-DATA    32822   FTP Data: 32768 bytes
201 10.328616   Y--client   x-server    FTP-DATA    28292   FTP Data: 28238 bytes
202 10.32924    x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=470855 Win=64544 Len=0
203 10.329244   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=482957 Win=64544 Len=0
204 10.329245   x-server    Y--client   TCP 60  ftp-data > 15943 [ACK] Seq=1 Ack=495555 Win=64544 Len=0

asked 08 Feb '13, 16:37

paul32ny's gravatar image

paul32ny
1111
accept rate: 0%

edited 08 Feb '13, 16:42

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245

One Answer:

1

I assume you were capturing on the client because there are very large packets listed in Wireshark. These packets don't exist on the network, as they get split up by the NIC (see TCP Segmentation Offloading). The ACKs which the NIC receives are summarized into a minimal amount of ACKs towards the TCP stack. This makes it possible that an ACK can acknowledge only part of a big packet.

You can turn off TSO to make wireshark show the real packets. But better jet, use a TAP or spanport to see the real network traffic.

answered 08 Feb '13, 16:50

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

That is really good to know and thanks for the rapid response. The capture is from the client PC. I am assumming that going forward it is better to capture the packets on the network and not from a tcp analyzer running on the client machine. I will also try turning off TSO.

Thank you

(08 Feb '13, 17:13) paul32ny

Please note, that TSO is an optimization that is supposed to give you better performance (so you might want to leave it on), although I have seen cases where is was actually making things worse.

(09 Feb '13, 03:24) SYN-bit ♦♦