This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Pilot burst bandwidth report when capturing on a server

0

I installed WireShark on a streaming media server to perform a capture. This server is on its own switch port, but in a ip subnet that has other servers. So the streaming media server can see traffic intended for other servers, yet it is on its own 1Gigabit link to the switch.

So here’s my question: when the burst bandwidth report (1ms) says the bandwidth in this capture is bursting to 1.4Gigabit, is that truly just for this link the server is on, or is that traffic not intended for this server that shows up in the reports muddling this result?

Thanks.

asked 09 Apr '11, 14:13

eelarry's gravatar image

eelarry
368912
accept rate: 0%

Riverbed: We can see the bandwidth reported on the 1ms views seem to exceed the linkspeed, which should not be possible.

In Windows, using a normal NIC, the OS handles time-stamping the arriving packets. Depending on what else the OS is handling, there can be some delay in the time-stamping process and several packets collected in the buffer may be recorded with the same time-stamp.

TurboCap capture card, when installed in a Linux box, time stamping can be made more accurate by assigning one of the CPU's processor This will result in much greater accuracy for the sub-second burst views.

(19 Apr '11, 16:29) eelarry

One Answer:

1

You're kind of in the wrong place to ask questions about "Pilot", this is the Wireshark Q&A site. The "Burst bandwidth report" is pure Pilot functionality. You might want to contact Pilot support.

However, I'll give it a shot: Are you looking at the combined bandwidth (in and out)? If so, the maximum output that you can expect is 2Gbit/s on a full-duplex Gbit/s link. And since your on a switch, this should only be traffic to/from the streaming media server on which you are capturing.

answered 09 Apr '11, 15:43

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

I agree--I thought I would only see traffic for this server, but I'm seeing many other conversations and I don't know why, unless this switch, which happens to be an HP 1800 with old firmware, is not doing its job.

(09 Apr '11, 18:05) eelarry

Okay, the traffic I'm seeing that should not be on this port is from a Microsoft load balancer, but I still don't know why it is seen there.

(09 Apr '11, 20:30) eelarry

(I converted your "answers" to "comments" as that's the way this site works best, see the FAQ)

Microsoft loadbalancing works by flooding all incoming traffic to all ports in the vlan. This is done by having a virtual mac-address that is used for only incoming traffic (the arp response gives out the address). Outgoing traffic never uses this mac-address and therefor the switch must flood the traffic.

(10 Apr '11, 00:05) SYN-bit ♦♦

Thank you for your reply and the forum tips! So MS load balancing is flooding to all ports in the vlan and making them process traffic they should not be seeing! Sounds like the reason this network is experiencing problems under even moderate loads.

(10 Apr '11, 08:17) eelarry

I'm not sure if Microsoft also suggests this, but I would always put a Microsoft Network Loadbalancing cluster in a separate vlan to make sure no other systems will get all the incoming traffic.

(10 Apr '11, 09:46) SYN-bit ♦♦