I'm trying to understand the captures I've done. I'm getting an enormous number of "previous packet" and "ack'd lost packet". I've done my captures on two windows 2012 virtual hosts simultaneously with Wireshark installed on the VMs and the expert infos results are radically different. These hosts have 10G interfaces. Wireshark doesn't show any dropped packets in the gui while capturing and the file comes over without a problem. There are some duplicate acks and some retransmissions. Where are my packets going? Is the Wireshark capture too slow to keep up? I don't have a virtual shark. I need to find out why I'm only getting 600Mbps average with iperf. The servers are on the same vlan.
asked 28 Oct '13, 19:09
Do the hosts or the virtual machines have 10G interfaces?
sounds like the interfaces in the virtual machines are only (simulated) 1Gig interfaces (or the ports of the virtual switch are only 1G - if that is even configurable within your virtualization tool). Did you check that?
answered 29 Oct '13, 04:08
Kurt Knochner ♦
edited 29 Oct '13, 05:13
Looks like tons of dropped frames to me. You should keep in mind that drops may happen way before Dumpcap/Wireshark even sees the frame, so if you're slamming your NICs with frames it is very likely that a lot of them are already dropped on driver or OS level, and Wireshark will never even know (and thus not show them as dropped).
Also, I'm pretty sure that a standard PC cannot hope to record 10GB/s speeds, let alone write them to disk. You would have to be able to write more than 1GByte/s to disk at that speed, and I doubt you have a disk array that can do that.
answered 29 Oct '13, 03:43
Yes, you'll have a huge disk IO load if you try to capture that amount of network traffic. Thanks for sharing nice or informative post.. Our comment source:
answered 12 Feb '14, 01:00