Hi! We've faced an interesting issue. When wireshark (or tcpdump) is enabled we see a bust of throughput measured by iperf. hostA ---- Linux GatewayA --- RouterA ---- L2VPN ---- RouterB ---- Linux GatewayB ---- hostB The link between routers is 100Mb/s, Linux Gateways are crypto gates making an IPsec tunnel, so doing iperf between the end hosts we see 28 Mb/s with Wireshark on end hosts disabled, and 44 Mb/s - with Wireshark enabled. End hosts are Windows machines. May be there is some issue with TCP/IP Windows Stack in some possible non optimal packet handling that is "fixed" by enabling Wireshark?
asked 27 Jun '13, 05:31 AlAl edited 27 Jun '13, 14:43 showing 5 of 11 show 6 more comments |
One Answer:
me too. Another option: Maybe there is a driver issue with TCP offloading. Maybe (really just maybe) the driver enables (or disables) TCP offloading if the interface runs in promiscuous mode, hence only an effect for TCP and not for UDP !?! answered 28 Jun '13, 01:59 Kurt Knochner ♦ Kurt, probably you have pointed me to the solution, we have tried to disable TCP offloading in hosts network drivers (Broadcom Netextreme) and now we have 58 Mb/s between the hosts... (28 Jun '13, 03:52) AlAl good. PS: I converted my comment to an answer. HINT: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. (08 Jul '13, 03:54) Kurt Knochner ♦ |
What do you mean by "wireshark enabled"? Running, or installed.
If running, are you opening the interfaces in promiscuous mode?
Yes, running in promiscuous mode on the interface from which iperf is sending (or receiving) traffic
Does it also happen if you don't run in promiscuous mode?
Do you have Name Resolution enabled? Possibly via external DNS?
It's needed to check, we used Wireshark with default settings, so promiscuous mode was on. I accidently noticed the difference, the main task was to measure IPsec throughput capabilities of the gateways.
no DNS, servers access each other by ip.
does Wireshark show the same throughput as jperf?
Yes, it does, please see an attached picture
O.K. that's kind of strange. Can you please test with UDP?
Yes, tested earlier, it seemed no issue with UDP, speed 60 MB/s with no packet loss (unfortunately now I have no pics regarding that tests)
I'd go and look into the TCP tests and compare values like RWIN etc. and especially look for delayed ACKs of whatever slowing the growth of CWIN when wireshark/tcpdump is not enabled. Might find s.th. there. It would be very interesting if you could upload some tests to cloudshark, first 1000 packets or so - would highly appreciate that and like to take a closer look