discrepancy between PSH and without PSH

Question

Hi Team,

I have a problem regarding http connection. I have a server as a host send the data to multiple clients by using http connection. Server A, the connection is good with the higher tps ( Transaction per second ) than the others. Server A having lower tps, i have snoop the both server from host.

SERVER A:
"21","0.013006","10.2.230.48","10.251.151.31","HTTP","267","HTTP/1.1 200 OK "
"28","0.017704","10.2.230.48","10.251.151.31","HTTP","267","HTTP/1.1 200 OK "
"35","0.022589","10.2.230.48","10.251.151.31","HTTP","267","HTTP/1.1 200 OK "
"42","0.027227","10.2.230.48","10.251.151.31","HTTP","267","HTTP/1.1 200 OK "
"49","0.031999","10.2.230.48","10.251.151.31","HTTP","267","HTTP/1.1 200 OK "
"56","0.036774","10.2.230.48","10.251.151.31","HTTP","267","HTTP/1.1 200 OK "
"63","0.041302","10.2.230.48","10.251.151.31","HTTP","267","HTTP/1.1 200 OK "
"70","0.046025","10.2.230.48","10.251.151.31","HTTP","267","HTTP/1.1 200 OK "
"77","0.050789","10.2.230.48","10.251.151.31","HTTP","267","HTTP/1.1 200 OK "
"84","0.055563","10.2.230.48","10.251.151.31","HTTP","267","HTTP/1.1 200 OK "
"91","0.060209","10.2.230.48","10.251.151.31","HTTP","267","HTTP/1.1 200 OK "
SERVER B :
"4","0.019952","10.251.228.15","10.251.151.32","TCP","130","irdmi > 58637 [PSH, ACK] Seq=1 Ack=1 Win=65 Len=76"
"5","0.021030","10.251.151.32","10.251.228.15","TCP","398","58637 > irdmi [PSH, ACK] Seq=1 Ack=77 Win=49640 Len=344"
"6","0.022705","10.251.228.15","10.251.151.32","TCP","60","irdmi > 58637 [ACK] Seq=77 Ack=345 Win=65 Len=0"
"13","0.332018","10.251.228.15","10.251.151.32","TCP","130","irdmi > 58637 [PSH, ACK] Seq=77 Ack=345 Win=65 Len=76"
"14","0.354679","10.251.151.32","10.251.228.15","TCP","402","58637 > irdmi [PSH, ACK] Seq=345 Ack=153 Win=49640 Len=348"
"15","0.356432","10.251.228.15","10.251.151.32","TCP","60","irdmi > 58637 [ACK] Seq=153 Ack=693 Win=65 Len=0"
"22","0.596000","10.251.228.15","10.251.151.32","TCP","130","irdmi > 58637 [PSH, ACK] Seq=153 Ack=693 Win=65 Len=76"
"23","0.596900","10.251.151.32","10.251.228.15","TCP","402","58637 > irdmi [PSH, ACK] Seq=693 Ack=229 Win=49640 Len=348"
"24","0.598664","10.251.228.15","10.251.151.32","TCP","60","irdmi > 58637 [ACK] Seq=229 Ack=1041 Win=65 Len=0"
"31","0.795945","10.251.228.15","10.251.151.32","TCP","130","irdmi > 58637 [PSH, ACK] Seq=229 Ack=1041 Win=65 Len=76"
"32","0.797018","10.251.151.32","10.251.228.15","TCP","389","58637 > irdmi [PSH, ACK] Seq=1041 Ack=305 Win=49640 Len=335"
"33","0.798730","10.251.228.15","10.251.151.32","TCP","60","irdmi > 58637 [ACK] Seq=305 Ack=1376 Win=65 Len=0"
"40","1.011976","10.251.228.15","10.251.151.32","TCP","130","irdmi > 58637 [PSH, ACK] Seq=305 Ack=1376 Win=65 Len=76"
"41","1.013027","10.251.151.32","10.251.228.15","TCP","398","58637 > irdmi [PSH, ACK] Seq=1376 Ack=381 Win=49640 Len=344"
"42","1.014742","10.251.228.15","10.251.151.32","TCP","60","irdmi > 58637 [ACK] Seq=381 Ack=1720 Win=65 Len=0"
"52","1.267932","10.251.228.15","10.251.151.32","TCP","130","irdmi > 58637 [PSH, ACK] Seq=381 Ack=1720 Win=65 Len=76"
"53","1.268930","10.251.151.32","10.251.228.15","TCP","389","58637 > irdmi [PSH, ACK] Seq=1720 Ack=457 Win=49640 Len=335"

Kindly help where is the discrepancy exactly ? Would you mind to analyze this problem ? should we disable PSH and ACK to increase the traffic ?

Thanks & Regards, Wilis

Answer 1

0

should we disable PSH and ACK to increase the traffic ?

PSH has nothing to do with a potential performance problem (and you won't be able to disable that flag, at least I don't know a way to do that).

I guess the second server is simply accessed on port 8000 (irdmi) and that's the reason why you don't see any HTTP traffic in Wireshark. Please add port 8000 to the HTTP dissector.

Either: right click one packet, then select "Decode As" -> Destination (8000) -> HTTP
or: Edit Preferences -> Protocols -> HTTP -> TCP Ports

Regards
Kurt

answered 11 Jul '13, 05:06

Kurt Knochner ♦
24.8k●10●39●237
accept rate: 15%

Hi Kurt,

Thanks for your explanation, But i still strange regarding the TPS, the first server is very good, but i dont know what happen on the second server. Would you mind to analyze this ? this is after i decode as your suggestion :

"1","0.000000","10.251.228.15","10.251.151.32","HTTP","130","HTTP/1.1 200 OK " "4","0.019952","10.251.228.15","10.251.151.32","HTTP","130","HTTP/1.1 200 OK " "7","0.175947","10.251.228.15","10.251.151.32","HTTP","130","HTTP/1.1 200 OK " "10","0.264047","10.251.228.15","10.251.151.32","HTTP","130","HTTP/1.1 200 OK " "13","0.332018","10.251.228.15","10.251.151.32","HTTP","130","HTTP/1.1 200 OK " "16","0.400014","10.251.228.15","10.251.151.32","HTTP","130","HTTP/1.1 200 OK " "19","0.480045","10.251.228.15","10.251.151.32","HTTP","130","HTTP/1.1 200 OK " "22","0.596000","10.251.228.15","10.251.151.32","HTTP","130","HTTP/1.1 200 OK " "25","0.680027","10.251.228.15","10.251.151.32","HTTP","130","HTTP/1.1 200 OK " "28","0.792015","10.251.228.15","10.251.151.32","HTTP","130","HTTP/1.1 200 OK " "31","0.795945","10.251.228.15","10.251.151.32","HTTP","130","HTTP/1.1 200 OK " "34","0.928016","10.251.228.15","10.251.151.32","HTTP","130","HTTP/1.1 200 OK "

Between the first transaction and the second transaction take too long ? or is there any suggestion from you about this ?

Thanks Wilis

(11 Jul '13, 06:13) Wilis

Wilis, to be able to analyze a possible problem, we would need the capture file itself. Is it possible to post the two files somewhere (google docs, dropbox). Beware of privacy issues (due to internal data in the capture files).

BTW: Why do you believe there is a problem. The requests per second you see in the capture file are mainly triggered by the clients (without knowing your application), so the request rate of the clients is a critical factor, right?

(11 Jul '13, 06:24) Kurt Knochner ♦

Hi Kurt,

Actually the clients are our customer. So we need to increase the performance of our customers/ client servers. Can we know whether the client is using synchronous methode or asynchronous methode by wireshark ?

Thank you very much.

Wilis

(12 Jul '13, 08:55) Wilis

Can we know whether the client is using synchronous method or asynchronous method by wireshark?

what does that mean in the context of HTTP and your application?

(12 Jul '13, 23:56) Kurt Knochner ♦

Hi Kurt,

My application send the http to the external system. My application using GET methode, and send 6 parameters to the clients. The 6 paramaters are MSISDN, IMEI, IMSI, Vendor, Model_Phone, MSCID/Location.

Thanks Wilis

(14 Jul '13, 03:11) Wilis

Hi Wilis,

I'm sorry, but I really can't help. The information you provided so far does not describe the situation in a way that I understand if there is a problem, and if so what problem you might have. So, here are some essential questions:

Why do you think there is a problem with server B, while server A seems to be 'O.K.'? Is that assumption mainly based on your observation of the PSH flags in the capture file?
What exactly is the problem with server B? You are talking about TPS (transactions per second) and synchronous/asynchronous requests, without an explanation what that means within your application. Regarding TPS: How is a transaction defined in your application? Regarding sync/async requests: How is that defined in your application? Without that information it is impossible to tell if you can 'detect' either method in the capture file.
How does your application work (basically)? Who is requesting data and at what rate (maybe your TPS) and who is answering(sending data)?
What is the expected behavior and what is the observed behavior of the application?
In the context of question 3./4.: How do you recognize a problem with server B, meaning how is the communication with server B different than the communication with server A?
The time deltas between the packets to server A are essentially smaller than those to server B. But the server IP addresses are in totally different subnets (I assume . The time difference may be caused by the network, the client, the server, the application or even by the display filter in Wireshark. Please add some information about the difference of scenario/test A (server A) and scenario/test B (server B). So,
- did you apply the same display filter?
- how many hops are between the clients and the servers (IP TTL)?
- is the client software identical (same OS, same client software, e.g. browser)?
- is the server software (OS, server software) identical?
- is the hardware of both servers identical?
- is the load (CPU, RAM, etc.) of both servers identical?
Finally: is it possible to post sample capture files somewhere (google docs, dropbox, etc.)? I don't think so, based on the content of your GET requests (IMSI, etc.). I'm still asking, just in case ... If it not possible to post the capture files, please try to answer all questions as thoroughly as possible.

(14 Jul '13, 05:18) Kurt Knochner ♦

Analysis

Here comes a first attempt to explain a possible cause of a possible problem ;-)

Communication pattern of server B

There seems to be this pattern.

client -> server REQUEST: +/- 340 bytes (335, 344, 348)
server -> client ACK : 0 bytes
server -> client RESPONSE: 76 bytes

"5","0.021030","10.251.151.32","10.251.228.15","TCP","398","58637 > irdmi [PSH, ACK] Seq=1 Ack=77 Win=49640 Len=344"
"6","0.022705","10.251.228.15","10.251.151.32","TCP","60","irdmi > 58637 [ACK] Seq=77 Ack=345 Win=65 Len=0"
"13","0.332018","10.251.228.15","10.251.151.32","TCP","130","irdmi > 58637 [PSH, ACK] Seq=77 Ack=345 Win=65 Len=76"

The ACK (Frame #6) is pretty fast, while the RESPONSE (Frame #13) takes quite some time. Based only on this dump of a capture file, the 'problem' might be caused by

a higher load on server B (10.251.228.15)
necessary communication time while the server software communicates with back end systems (database servers, etc.)

Communication pattern of server A

Your capture file only shows the results of the HTTP request. So, a direct comparison with capture B does not make sense.

Difference of communication pattern

However, if I compare the data of server B (posted in your comment), I can also see that the rate of "200 OK" messages from server B is substantially smaller than the ones from server A.

Server A: Delta = ~ 0.005 seconds

"21","0.013006","10.2.230.48","10.251.151.31","HTTP","267","HTTP/1.1 200 OK "
"28","0.017704","10.2.230.48","10.251.151.31","HTTP","267","HTTP/1.1 200 OK "
"35","0.022589","10.2.230.48","10.251.151.31","HTTP","267","HTTP/1.1 200 OK "
"42","0.027227","10.2.230.48","10.251.151.31","HTTP","267","HTTP/1.1 200 OK "
"49","0.031999","10.2.230.48","10.251.151.31","HTTP","267","HTTP/1.1 200 OK "

Server B: Delta = ~ 0.08 seconds

"1","0.000000","10.251.228.15","10.251.151.32","HTTP","130","HTTP/1.1 200 OK " "4","0.019952","10.251.228.15","10.251.151.32","HTTP","130","HTTP/1.1 200 OK " "7","0.175947","10.251.228.15","10.251.151.32","HTTP","130","HTTP/1.1 200 OK " "10","0.264047","10.251.228.15","10.251.151.32","HTTP","130","HTTP/1.1 200 OK " "13","0.332018","10.251.228.15","10.251.151.32","HTTP","130","HTTP/1.1 200 OK "

This could be caused by

a difference in the request rate of the clients (did you check that?)
by a delay in the response of server B (see above). Please compare that with the data of server A, or post a similar output for server A (the one of server B in your question).

Regards
Kurt

(14 Jul '13, 05:23) Kurt Knochner ♦

Hi Kurt,

Thank you vry much for your explanation, We will try to explorer based on your analysis.

Thanks & Regards, Wilis

(14 Jul '13, 22:09) Wilis

O.K.

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions.

(16 Jul '13, 03:22) Kurt Knochner ♦

showing 5 of 9 show 4 more comments