Hi All, We have web server x that talks to domain controller y to authenticate a user constantly over a 2 hours period What we are finding is that like clockwork every 5 minutes we are getting high response times for a short period What I have also noticed is the trace is adding entries multiple times a second but when I notice the lag there are time gaps within wireshark until it passes I ran wireshark on both servers and around the time we get a lot of TCP errors on the DC side What is the best way to upload the trace, its a TXT file Thanks in advance asked 06 Dec '16, 07:00  foowish edited 06 Dec '16, 07:02 showing 5 of 9 show 4 more comments |
One Answer:
Hi worked out what it was in the end. Was our monitoring service hammering LDAP queries at our dc answered 13 Dec '16, 07:24 foowish |
Much prefer a Wireshark capture file, either pcap or pcapng at a file sharing service, e.g. CloudShark, Google Drive, Dropbox etc.
Hi thanks for the response. I can upload but I need to omit all ip address information for security reasons
Then see TraceWrangler that can anonymise captures.
Thanks Graham ive upload it using the following link
https://drive.google.com/open?id=0B1EcZKOSIZVUelhka2RFejFRRTQ
It is not much worth from my point of view. Segemntation offload is enabled. We can´t see what really happens at the network.
What do you suggest I do to get a better capture. I can run my script to reproduce the lag at 5 minute intervals
Really stuck on this issue Help is definitely appreciated
Either capture elsewhere than the client, e.g. a switch span or mirror port or a tap, or turn off segmentation offload on the capture system.
This is a very poor quality capture. The sniffer dropped 680KB of packets or around 85%. Further, it is only 20 secs long. If I were capturing, I'd try to collect equal times of "good" and "bad" behaviours.
Hi, thanks for the reply. I think I'm closer. I ran a trace on one of the affected destination addresses and around the time of the lag we have a couple of SQL servers hammering out DC....then we notice TCP gets messed up with unack packets retransmits etc so it's like it's doing a DOS attack. Now I need to work out what is going on on these source addresses. There does seem to be a pattern