This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

4 Errors in Expert Infos

0
1

Hi recently we have been suffering from an ever increasing amount of timeouts to our database server during peak times. This issue had previously been put down to the SQL server being under high load and queries timing out due to server resource issues. Since the timeouts have become more frequent, even during weekends when traffic is low I've turned my attention to the network as the source of the problem.

This morning I've ran a wireshark trace for 30 mins on a monitor port which was mirroring traffic from our primary database, and the following was displayed in the Expert Infos screen.

alt text

The Ethernet Bad checksum issue is being caused by the STP protocol messages coming from the switch, not sure if this one is actually a major issue.

The Malformed packets and retransmissions is what I'm more concerned with. I've been through and checked the following;

  • All network cards are running at full duplex
  • All servers are connected at 1Gbit
  • No QoS services enabled on the switch

Is there anything else obvious to check?

We have around 15 Windows 2003 servers, mix of physical and virtual (VMware ESX), plugged into a single 1Gbit HP switch. The storage network is plugged into a separate isolated switch.

asked 23 Jun '15, 06:03

siu07's gravatar image

siu07
6122
accept rate: 0%


One Answer:

0

With a lot of guessing (without seeing the real capture) I would say that the reported errors have nothing to do with your real problem. The Bad checksumm on ethernet can mostly be ignored - depending on where the trace was taken - on an endpoint vs. in the network - it might not be correct (anymore) . So disable the checksumm validation under Protocol Preferences to get rid of those ... The TDS (and DCERPC) errors: wireshark is trying to dissect packets as TDS Tabular Data Stream when the payload is not carrying this protocol. You can disable the TDS protocol via Analyze -> Enabled Protocols

That leaves the New Fragment overlaps ... an indication of packet loss and retransmissions occuring. These are not a red herring and might be related to a problem...

alt text

Just saw the "monitor port which was mirroring traffic from our primary database" - so if this was really a trace taken on a mirroring port the checksum better be correct or the packet will validly be dropped ...

Regards Matthias

answered 24 Jun '15, 09:20

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

edited 24 Jun '15, 09:22