This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to Find the input error(overrun) from the logs

Hi I have a large file of the logs captured from an Gig interface. The other side we have a CISCO 7206VXR router where we see the overrun counter increasing.

How do I identify which packets causing the overrun problem?

Could you please Help me?

Regards Siva

overrun

asked 06 Apr '11, 00:42

Siva
1●1●1●1
accept rate: 0%

2 Answers:

Just a couple of ideas:

You might want to identify when and where packets are lost, which you could do by using the I/O Graph (to be found in the statistics menu) and adding a graph showing all retransmissions by entering the tcp.analysis.retransmission filter to one of the empty graph lines below the trace (I usually use Graph2 because it is red, and set it to "FBar" style). Keep in mind to scale the Y-axis to logarithmic since you might not see any retransmission at first because the number of packets/bytes is far greater than the lost packets/bytes. You might see times when lots of packets are lost and go from there to find out what is happening in that time frame.

You could use the conversation statistics to see which communications put the most packets/bytes on the line by sorting the list by packets or bytes. Then you should check if those communications have suspicious amounts of lost packets and retransmissions caused by the overload - for example by filtering for the conversations through the popup menu in the statistics and later adding "and tcp.analysis.retransmission" to the conversation filter.

You could also go the other way arround: filter for tcp.analysis.retransmission and then use the conversation statistics with the "Limit to display filter" option at the bottom to get statistics of the conversations with retransmission. Sort them by number of packets and you know which one lost the most packets. Those connections often caused the problem themselves by putting lots of traffic on the line.

That will help finding the cause if it is just a couple of connections creating the overrun by massive transfers of data. If the overload is caused just by the sheer number of connections with just a little traffic you might have more work ahead of you.

answered 06 Apr '11, 01:00

Jasper ♦♦
23.8k●5●51●284
accept rate: 18%

Hi Jasper

I did the above and found less number of packets. The difference between the output error before and after the data capture was about 420+. The Wireshark shows only 144 flows.

Wondering because this does not match with the counter on the interface.

Any other thoughts

answered 06 Apr '11, 05:01

Siva
1●1●1●1
accept rate: 0%

Where did you capture, and how? I was under the impression that you capture on the link that is going with high speed into the router that is then dropping packets.

If your gigabit link is really busy you might not be able to capture packets without sacrifice unless you have really powerful capture hardware; Most notebooks for example drop up to 80% of all packets on a crowded gigabit link.

(06 Apr '11, 05:19) Jasper ♦♦

This was captured on the Gig interface of the Switch. Most likely the customer might have enabled port span and captured it

Regards

(06 Apr '11, 06:13) Siva

Depending on the ammount of traffic on the gig link and the way the customer captured it you might not be able to troubleshoot unless you know exactly what was done and how. Most unexperienced users that capture without really knowing what to look for do not even notice they are dropping packets right left and center...

(06 Apr '11, 07:07) Jasper ♦♦