This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

The smoking gun?

0

Two weeks ago, users started reporting issues with one of our Sun Oracle 7410 file servers. Opening a file on the server or downloading to a workstation tops out at speeds around 700 KB/s - 2.5 MB/s on a 1G link. There are no drops or discards on any switch interfaces in the path, Wireshark doesn't show any TCP Retransmissions, and there are multiple instances of an ACK from the server followed by a delay before sending the next packet, like so:

alt text

This makes me fairly positive that the server is the source of the problem, not the network. The server admins claim innocence. Is a delay like this proof-positive of a server issue, or does it warrant more troubleshooting from the network side?

asked 18 Aug '14, 06:32

reklov77's gravatar image

reklov77
11113
accept rate: 0%


One Answer:

1

It's a little hard to say from just a screenshot, but it looks like the client is sending a new read request in No. 21578, which gets ACKed in about 2 milliseconds (meaning "I've received your request"). After that it takes 10 seconds to start sending actual data, which is an eternity in networks.

If this trace was taken next to the server you have text book application delay (because the Stack ACKed nice and fast), but it takes ages for actual data to flow. If the trace was taken at the client you need to take another capture at the server to verify this behavior (and exclude freak network device behavior).

answered 18 Aug '14, 06:42

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

This trace was taken from the client. A SPAN capture on the server interface shows similar delays. Cloudshark is blocked at work (file sharing) so I can't upload a full capture.

(18 Aug '14, 06:52) reklov77

If you want you can send me a sample (only if there is no confidential stuff in the trace) to [email protected] But if the capture at the server shows similar delays you've got the smoking gun. SMB service delay on the server.

(18 Aug '14, 07:02) Jasper ♦♦