Wireshark-users: Re: [Wireshark-users] TCP retransmissions from Windows file server
From: "Andrew Cuthbertson" <andrew.cuthbertson@xxxxxxxxxxx>
Date: Sun, 22 Feb 2009 20:31:08 +0100
Hello Hans1st I would confirm that the retransmission are real problems. (you say you have slowness so likely they are but best to check). Run netstat /s on the servers of interest twice with a time interval between to calculate the differnce in the stats reported. You'll also be able to see if the server is discarding packets.
2nd check how you have your span port on your cisco switch setup. If you have a server with retransmissions, span only the physical port and see if you still have retransmissions.
3rd capture the packets and see what is marked as retransmitted packets by wireshark to identify the cause of these packets. Wiresharks will only mark retransmissions on packets with data in them. also you need to look at tcp-analysis filters 'retransmission', 'fast tranmission' and 'out of order' as these are all definitions of potential retransmissions. Some causes for retransmisions that are not infrastructure related can be protocol related,eg DCERPC messages between servers to sort out communication encryption options when you don't use it, messages are repeated and marked as retransmissions. If you have devices that take longer than 200ms to reply, the sender assumes a lost packet and resends the original.
4th Different topic. slow servers. Identify the application/task that is slow, capture the packets and use the netstats /s (see if server is discarding packets). also look at the cisco port stats (see if switch has interface problem or handshaking options with server causing issues). Remember you need to check both ends of a conversation with retransmissions. If the conversation is one packet one way and then one back most of the time you won't get good performance (not good network app), if the data transfered in a packet is in small packets all the time you alos won't get good performance (unless app has little data to transfer of course). Not the whole story as that would need a book, but I hope this may help you on your way.
Kind regards Andrew On Thu, 19 Feb 2009 15:50:29 +0100 "Hans van Staveren" <sater@xxxxxxxxx> wrote:
While figuring out the (slightly disappointing) performance from someWindows file servers in a corporate environment I found some TCPretransmissons using wireshark. Looking at the 'netstat -s -p tcp' output from the servers themselves I found a TCP segment retransmission rate of about 1%. My feeling is that this is a lot, given the fact that the wholenetwork consists of three Cisco switches and two pieces of fiber.1) Is my gut feeling right about 1% retransmissions being a lot in thisenvironment?2) The server guys told me they were using the HP teams driver on theservers, and that they heard that this would be a problem with Cisco switches. This does not ring any bell with me. Any help appreciated. HansSent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
- References:
- [Wireshark-users] TCP retransmissions from Windows file server
- From: Hans van Staveren
- [Wireshark-users] TCP retransmissions from Windows file server
- Prev by Date: [Wireshark-users] New US Downloads Mirror
- Next by Date: [Wireshark-users] Help locating a video stream with Wireshark
- Previous by thread: [Wireshark-users] TCP retransmissions from Windows file server
- Next by thread: Re: [Wireshark-users] TCP retransmissions from Windows file server
- Index(es):
- Get Wireshark
- Download
- Code of Conduct