This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Packet Loss, retransmissions but no switch port errors.

0

This is a general question. We have an WAN based enterprise application where most sites traverse 8-12 hops before getting to a data center load balancer (CISCO 6509E) which sprays to a web server cluster. Using WireShark we are getting lost of re-transamissions (4%) coming from the load balancer at the TCP level, but when we look at the devices along the path, we are not seeing any switch port errors along the way. I know that Ethernet is not responsible for reporting dropped packets, its the job of TCP. However, would I not see some error counter on the NIC cards (servers) or switch ports along the way? Is it possible to see that packet loss that we have seen yet not see anything on any of the switch ports?

Switch Name/ interface Time Max Utilization Queue Drops In/Out Tester Connection
ITDCHLPBR1-Gb1/7 1000-1130 3.4 kbps 0/0

MITC Data center
ITDCHLPBR1-TenGb8/1 1000-1130 348.3 Mbps 0/0 ITDCHLPBR2-TenGb8/1 1000-1130 357 Mbps 0/0 ITD-CHL-CORE-1-TenGb7/1 1000-1130 449.9 Mbps 0/0 ITD-CHL-CORE-2-TenGb7/1 1000-1130 388.6 Mbps 0/0

INTERNET DMZ
ITD-CHL-CORE-1-TenGb8/1 1000-1130 67.1 Mbps 0/0 ITD-CHL-CORE-2-TenGb8/1 1000-1130 5.0 kbps 0/0 ITD-INTERNET-DMZ-1-TenGb5/4 1000-1130 58.2 Mbps 0/0 ITD-INTERNET-DMZ-2-TenGb5/4 1000-1130 24.2 kbps 0/0

HRCMS server farms
ITDCHLPBR1-TenGb8/4 1000-1130 92.4 Mbps 0/0 ITDCHLPBR2-TenGb8/4 1000-1130 5 kbps 0/0 AIX-COMPLEX-1-TenGb1/4 1000-1130 86.1 Mbps 0/0 AIX-COMPLEX-2-TenGb1/4 1000-1130 61.6 kbps 0/0

asked 04 Dec '13, 14:48

Zoberist's gravatar image

Zoberist
0778
accept rate: 0%

One Answer:

1

Are you sure that these are really retransmissions? Wireshark has a habit of marking packets as "Retransmission" when they're just "Out-of-Order", and those are a lot less problematic (well, in most cases they are no problem at all) than real packet loss. Even with retransmissions you need to ask yourself if they really have an impact on your application, because if the recovery is so fast that the user doesn't even notice the lost packets you might not want to waste time on tracking them down.

You should determine if the packet loss really occurred by looking at the TCP sequence and acknowledgement numbers. If there is packet loss then you should see that the client is using duplicate ACKs to signal the missing segment and a retransmission arriving for that segment. Please keep in mind that the TCP expert of Wireshark does not care about the RTT of the connection and flags packets as retransmissions if they arrive more than 3ms after the segment should have arrived in the first place. The 3ms is hard coded. If your connection has a RTT that is higher than that (which I guess from your description is probably has) you can easily run into the problem that the expert marks packets as retransmissions while they are Out-of-Orders in fact. This happens a lot if WAN acceleration devices are in use, because they often seem to reorder packets to optimize throughput and/or latency.

answered 04 Dec '13, 15:43

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%