Wireshark · Ethereal-users: RE: [Ethereal-users] TCP Retransmissions and resets: What is an"accept able" rate of occur rence?

Ethereal-users: RE: [Ethereal-users] TCP Retransmissions and resets: What is an"accept able" rat

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "infogunn@xxxxxxxx" <infogunn@xxxxxxxx>

Date: Mon, 12 Sep 2005 19:27:36 GMT

Thanks for the reply.

I agree I have to be careful about the TCP analysis. When I see dup acks, I often find the cause is out-of-sequence frames, rather than a missing frame, and the related retransmissions are from unnecessary fast retransmits.

I also always check the retransmissions following a "TCP Previous Segment Lost" flag, as I typically find the reported retransmission is just out-of-sequence and "a little" late (not enough for a time-out".

-- "Hildebrand, Brian" <BrianHildebrand@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Doug,

Be careful trusting the Ethereal analysis of what packets are retransmissions. I believe there is a bug and it actually ends up calculating a lot of out-of-orders as retransmissions (one key looking for this is the "dup ack"). Really, on a local LAN you should be seeing very few retransmission or out of order packets. However, all bets are off when you go out on the Internet. If you are seeing true retransmission of greater than 1% on your local LAN, you should probably look into the issue further. If I didn't have a lot to do, I would probably look into it if I were consistently seeing any at all (percentage or no). If you are seeing out-of-order packets on a local LAN that is something you should look into as well. Usually you just see out-of-order packets on the WAN/Internet where the multiple paths will mess things up. We have a problem with a multilink frame relay interface here. Small packets can outrun the larger ones and cause our systems to send out duplicate ACK's which waste bandwidth. For your WAN interface, retransmission rates of 1% are not abnormal but if it is a new issue you might want to look around and see if anything looks wrong. Possibly have the provider perform some testing as well. If I were seeing rates over 5% I would probably start bugging the provider (assuming all my equipment was working).

All well and good, but how do you tell if it is a true retransmission or not? You can manually examine the trap, which is a pain. I found some software called "TCPTrace". I ran that and it picked up the real retransmissions and classified the rest as out-of-orders. Not that I am precisely certain it is accurate, but it is more accurate then Ethereal.

Brian

Prev by Date: [Ethereal-users] Can't get list of interfaces: PacketGetAdapterNames: The operation completed succesfully
Next by Date: Re: [Ethereal-users] TCP Retransmissions and resets: What is an"accept able" rate of occur rence?
Previous by thread: Re: [Ethereal-users] Can't get list of interfaces: PacketGetAdapterNames: The operation completed succesfully
Next by thread: Re: [Ethereal-users] TCP Retransmissions and resets: What is an"accept able" rate of occur rence?
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$