ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-users: Re: [Wireshark-users] Need help analyzing...

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Boaz Galil" <boaz20@xxxxxxxxx>
Date: Mon, 29 Dec 2008 02:17:32 +0200

Hi Sake,

I read your comment – it's always great to read expert diagnosis.

I have downloaded the packet capture as well and I have a few questions:

1.       Why did you mention that he can ignore the duplicate packets? - why does he have duplicate packets in the first place (or should I say what could be the reason for that and can we ignore duplicate packets in most scenarios…)? (Thanks for the tip on how to filter the duplicates).

2.       How did you calculate the speed of the file transfer?

 

 

Thanks in advance,



On Sun, Dec 28, 2008 at 8:17 PM, Sake Blok <sake@xxxxxxxxxx> wrote:
On Sun, Dec 28, 2008 at 08:47:10AM -0500, Scott Chapman wrote:

>    Please take a look at the log file attached and let me know what you
>    think. I see a lot of TCP out of order. Is that an issue I should be
>    worried about?

Nope, the out-of-order messages are all duplicate packets. Did you span
a vlan on the switch? Did you capture both directions? Every packet will
enter AND leave the vlan, hence duplicate packets. If you span a vlan,
you'd better use only one direction instead of both.

You can remove the duplicate packets from the tracefile with:

editcap -d <infle> <outfile>

I have looked at the resulting file and see that the two systems
communicate at 200Mbit/s, which is better than the 10MB/s you were
mentioning, but still not the speed you might expect. Part of this is
due to the nature of Windows file sharing (it transmits blocks of data
instead of streaming the data). But I think the main factor is that the
fileserver (192.168.1.95) is not keeping up with the data. In frame 52
(from the deduplicated file), the window size drops to 0, which means
the server says it is not capable of receiving more data, since the
buffers are filled up and the tcp stack waits for the application layer
to process the data.

Hope this helps,
Cheers,
  Sake
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



--
Boaz.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube