This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

virtual hosts and smb2 transfers

0

I'm trying to understand the captures I've done. I'm getting an enormous number of "previous packet" and "ack'd lost packet". I've done my captures on two windows 2012 virtual hosts simultaneously with Wireshark installed on the VMs and the expert infos results are radically different. These hosts have 10G interfaces. Wireshark doesn't show any dropped packets in the gui while capturing and the file comes over without a problem. There are some duplicate acks and some retransmissions. Where are my packets going? Is the Wireshark capture too slow to keep up? I don't have a virtual shark. I need to find out why I'm only getting 600Mbps average with iperf. The servers are on the same vlan.

asked 28 Oct '13, 19:09

psdufour's gravatar image

psdufour
6112
accept rate: 0%


3 Answers:

0

I've done my captures on two windows 2012 virtual hosts
These hosts have 10G interfaces.

Do the hosts or the virtual machines have 10G interfaces?

I need to find out why I'm only getting 600Mbps average with iperf.

sounds like the interfaces in the virtual machines are only (simulated) 1Gig interfaces (or the ports of the virtual switch are only 1G - if that is even configurable within your virtualization tool). Did you check that?

Regards
Kurt

answered 29 Oct '13, 04:08

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 29 Oct '13, 05:13

When I do the iperf test using Redhat linux VM's, I get better than 2 Gbps.

(29 Oct '13, 07:23) psdufour

When I do the iperf test using Redhat linux VM's, I get better than 2 Gbps.

O.K. but what if the driver in Windows detects only 1G (virtual) interfaces? Please check that!

BTW: What is your Virtualization product (KVM, Xen, VMware)?

(29 Oct '13, 08:08) Kurt Knochner ♦

I'm using VMware. The Windows guests are set at 10G. So that would be a shared 10G. They are using TCP offloading. I set up and did another test. I used a laptop with a 1G interface and used the default parameters for iperf and got 900+. When I went from VM server load to VM server load, I got 600+. When I tried to use Wireshark on one of the VM's at the same time I was doing the test between VM's, I got 400+ and the server end of iperf dropped packets in Wireshark. I see variations in TCP window sizes (I got the SYN packets), driving down to the 200's. I tried running Wireshark on the laptop while doing the test, but Wireshark dropped 30% of the packets according to the GUI bar.

(31 Oct '13, 07:48) psdufour
1

sounds like your VMware guests are fast enough to deliver more throughput.

As you said:

using Redhat linux VM's, I get better than 2 Gbps.

if we can assume, that you used the same hardware specs for the Linux and Windows VM guests, there might be an issue with the 'network driver' in the Windwos guests (which virtual network hardware did you assign to them?). Did you enable Jumbo Frames in Linux? Did you enable them in Windows?

BTW: Running Wireshark in parallel to iperf on a possibly overloaded system, will kill your performance, especially as you'll have a huge disk IO load if you try to capture that amount of network traffic.

I think it's a good idea to ask your local VMware guru how to get the best networking performance for Windows guests, as other people describe that they can easily saturate a 10G link with two virtual guests.

http://virtualtricks.blogspot.de/2009/04/10-gbps-networking-performance-on.html

Maybe it's also a good idea to read some of the following papers (vSphere might be older than your environment).

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/c07-601040-00_vm_10gbn_dn_v2a.pdf
http://www.vmware.com/pdf/Perf_Best_Practices_vSphere4.1.pdf
http://www.vmware.com/files/pdf/techpaper/network-io-latency-perf-vsphere5.pdf
http://www.vmware.com/files/pdf/techpaper/Performance-Networking-vSphere4-1-WP.pdf

(31 Oct '13, 08:22) Kurt Knochner ♦

0

Looks like tons of dropped frames to me. You should keep in mind that drops may happen way before Dumpcap/Wireshark even sees the frame, so if you're slamming your NICs with frames it is very likely that a lot of them are already dropped on driver or OS level, and Wireshark will never even know (and thus not show them as dropped).

Also, I'm pretty sure that a standard PC cannot hope to record 10GB/s speeds, let alone write them to disk. You would have to be able to write more than 1GByte/s to disk at that speed, and I doubt you have a disk array that can do that.

answered 29 Oct '13, 03:43

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

@Jasper: I wonder if two virtual machines, given they really use the 10G interfaces of the host, are able to saturate the 10G link (with iperf or other tests)? Do you have any experience with such a setup, let's say in VMware?

(29 Oct '13, 04:10) Kurt Knochner ♦

Unfortunately I do not have access to virtualization hosts with that kind of hardware (10G NICs plus 10G switches), sorry :-)

(29 Oct '13, 07:07) Jasper ♦♦

No problem. I thought you might have had a chance in the last couple of years, during vmware trainings or so... ;-)

(29 Oct '13, 08:08) Kurt Knochner ♦

0

Yes, you'll have a huge disk IO load if you try to capture that amount of network traffic. Thanks for sharing nice or informative post.. Our comment source:

10G bit tcp offload

answered 12 Feb '14, 01:00

intilop's gravatar image

intilop
111
accept rate: 0%

Is this advertisement spam, promoting the products of your company? If it's not spam, can you please add some information how your products help to reduce the IO load while capturing at 10G ?

(12 Feb '14, 01:18) Kurt Knochner ♦