This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

[TCP retransmission]hyperV host to system center Virtual Machine Manager VMM

0
1

Question: We are getting a lot of Expert(error notifications) about TCP Retransmissions, Reassembly error; New Fragment overlaps old data.(retransmission?).

The offending packets are happening between a hyperV node and the VMM. Should we be concerned or is this is false positive.

both servers are plugged in to the same switch, the hyper V node has a dedicated port and virtual network created for our server lan. The vmm is just a server that sits on the same vlan natively.

Summary...

3035    0.983810000 172.31.1.89 172.31.1.78 TCP 318 Note    [TCP Retransmission] 52503→5985 [PSH, ACK] Seq=2407 Ack=2911 Win=4100 Len=264
3036    0.983863000 172.31.1.89 172.31.1.78 TCP 1514        [TCP segment of a reassembled PDU]
3037    0.983864000 172.31.1.89 172.31.1.78 TCP 1514    Note    [TCP Retransmission] [TCP segment of a reassembled PDU]
3038    0.983865000 172.31.1.89 172.31.1.78 HTTP    736 Error   POST /wsman HTTP/1.1 [Malformed Packet]
3039    0.983866000 172.31.1.89 172.31.1.78 TCP 736 Error   [TCP Retransmission] 52503→5985 [PSH, ACK] Seq=4131 Ack=2911 Win=4100 Len=682[Reassembly error, protocol TCP: New fragment overlaps old data (retransmission?)]

asked 05 May '15, 13:21

Quorrum's gravatar image

Quorrum
6124
accept rate: 100%

edited 05 May '15, 14:03

Jasper's gravatar image

Jasper ♦♦
23.8k551284

also check the switch ports and there are no errors.

(05 May '15, 13:22) Quorrum

sounds more like false positives... but maybe you can upload a capture file at http://www.cloudshark.org and post the link here? It's easier to check a trace than some ASCII dump.

(05 May '15, 14:05) Jasper ♦♦

here is a chopped, cap. Any help with this is appreciated. https://www.cloudshark.org/captures/64c49f52f75e

(06 May '15, 08:17) Quorrum

my issues are the dup ACk's and ReTransmissions. These seem like waste of band... Should i be worried about these.

(06 May '15, 08:19) Quorrum

2 Answers:

0

we are chalking these up to false positives and microsoft doing some thing as usual that they are not supposed to be doing.

answered 07 May '15, 13:08

Quorrum's gravatar image

Quorrum
6124
accept rate: 100%

0

Well, since every frame is seen twice, did you by any chance capture on a span-port with the source being a vlan? Then it is a capturing artefact as every frame with first enter the vlan and then exit the vlan. When capturing on a vlan, better use "rx only" instead of "both".

answered 08 May '15, 04:06

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

monitor session 1 source vlan 100 monitor session 1 destination interface Gi9/18 monitor session 1 filter packet-type good rx

only isnt an option.

ad.m.1(config)#monitor session 1 filter packet-type good rx ? <cr>

(08 May '15, 10:20) Quorrum

good idea i was under the assumption that is was only. i will look in to that.

(08 May '15, 10:21) Quorrum

I don't have a cisco switch at hand, but it should be something like:

monitor session 1 source vlan 100 rx
monitor session 1 destination interface Gi9/18
(08 May '15, 10:39) SYN-bit ♦♦