TCP retransmission & TCP DUP ACK

look at the utilization of every interface between your machine and your internet connection. Also look at the times for traceroutes to the destination from the source address to the destination to see if there are any hops that are acting as choke points.

hope this helps,

-t

>look at the utilization of every interface between your machine and your internet connection.
can you clarify this, please (tools etc) I am rather a newbie at troubleshooting this advanced kind of stuff...

>Also look at the times for traceroutes to the destination from the source address to the destination to see if there are any hops that are acting as choke points.
I am quite sure that this does not matter, as it's the same behavior for all sites I visit (both local sites and sites far away.)

>look at the utilization of every interface between your machine and your internet connection.
can you clarify this, please (tools etc) I am rather a newbie at troubleshooting this advanced kind of stuff...

It depends on the hardware that yo uhave and what kinds of diagnostics tools you have access to. most switches give you the ability to look at the interfaces and see traffic throughput. Some tools that are based on MRTG like PRTG or cactii give you the ability to record that info over time so you can see graphs of trends. I would look to see if you can see patterns on any of the interfaces of your switch. Some common issues to look for are looped switches or beaconing nics. These two scanrios will present one switch port with high input traffic as a result of broadcasting traffic and all other switchports showing the same rate of outbound traffic. This can easily overwhelm some switches. If you are unable to see the interface utilization try shutting down ports or disconnecting switches to see if you can isolatre where the problem is.

>Also look at the times for traceroutes to the destination from the source address to the destination to see if there are any hops that are acting as choke points.
I am quite sure that this does not matter, as it's the same behavior for all sites I visit (both local sites and sites far away.)

What doesn't matter to some matters to others, by adding the information that sites inside and outside are both showing the same symptoms locates the problem inside your network as opposed to outside. What happens if you ping many hosts in your network using a tool like angry ip scanner? as a test ping your host subnet, are all the response times the same or are there some that respond signifacntly slower than others? this might help isolate which switch is having issues.

what does your topology look like, can you temporarily disconnect trunks between switches to further troubleshoot the issue? for example if you had two switches connected together with a trunk and host A tried to ping switch host B on the same switch and had issues before disconnecting the inter switch trunk would point the finger at something on the other switch, then reconecting the switches and shutting half the second switch off would further help locate the problem machine.

and info that you can provide of the symptoms or the results of your tests would help.

hope this helps,

-t

if youure the admin then you know better what the hardwares and what kinda hungry or not services are running on those hardwares. you sure they are free from Malwares?

let me clarify my config:

§ 1 laptop (windows xp, of which I am the admin)
§ 1 huwaii gsm modem (via umts/gprs/hsdpa) via usb

that's it. no switches, hubs etc ...
just 1 network, where I do see traffic going over the line, but not which application it is.

so, the actual question might be: how to identify the application that uses the whole "bandwidth", ie to cause the tcp retransmissions.

I know that it sounds like faulty hardware, but it's not the whole time. just like for +- 1 hour, internet performance is "crap", after that, out of the sudden, all is nice & dandy.

I do have Kapersky AV running with FW etc, all updated, so I suspect no infection.
that said, I looked also at the task-manager if I could see something suspicieous, but all tasks are well identified.

which makes be believe the problem is "outside" of my reach (Ie with the gsm/backbone), in which case I would like to get that confirmed somehow, so to "get my money back" :)

there are others I know that "hate" the usb stuff, as you cannot monitor those easily :)

I know the provider offers some version of the modem with ethernet and wireless options, so I will try to see ...

thank you for describing your topology, i had misinterpreted your network as a result of previous posts. i had assumed that when you said that you were having "the same behavior for all sites I visit (both local sites and sites far away.)" I thought that meant that you were experiencing issues with servers on your network as well as remote.
there are two possible chokepoints for your problem, a condition on your endpoint or a device on your upstream path. To validate that it is not your machine i would suggest that you try to do the traceroute to a variety of sites both local and remote to confirm that the problem is not at your end. Also if you reset your interface you will reset your counters and they should incriment together as traffic goes through assuming you are not running any additional services. Do the traceroute when you are not having problems frst to get a baseline for the different average times. if you see one hop that has inconsistant times it could be that that leg is oversubscribed and your traffic is getting best effort service.
to dive deeper into your machine i would look at running tools from sysinternals to see what services are using up resources,it could be that ie is running amock and chewing up cpu causing the retransmits to be originated from the outside because it is not sending ACKs in a timely enough fashion.

hope this provides you with more to test with.

-t

it will take a moment before I can get another modem to test with that...
and anyhow, it will be difficult to know for sure, as the problems are intermittent only.

in regards to the tools from sysinternals, which one are you referring to?

i would use a combination of process monitor and process exploerer to see if there are any serviecs that are utilizing a disproportionate amount of resources. if the issue isn't reproducable on demand it is going to be very hard to solve.

it very well could be that there was a problem past your local leg to where your isp routes and you were sharing a very over subscribed line ecause diverse paths were not available.

good luck finding out the root cause.

-t

thanks for the "good luck" ...
until now, it was stable...

ok.
got another modem, same issues.
still leaves 2 options:
* the operator backbone/antenna
* the computer installation

any ideas about the installation?

I check with some tcpview tool which applications do network traffic, nothing "suspiceous" or "unknown".

traffic just drops off at some point in time...

what media is the WAN link?

it's a HUWAI wireless modem (via GSM/GPRS/HSDPA)

I got confirmation from the provider, that they have hit a the max limit on the cell I am on :(
so, I have to either wait several months for the upgrade, or change back to fixed line adsl :((

thanks for the help

glad to help,

-t

Thanks for the assist.  I'm glad I was able to help a bit.  It was an interesting question.  Sad to hear the news about the service; it doesn't seem to leave any great options.  I will keep my fingers crossed this doesn't mean you go "completely dark" and lose all service for months. :)  EE wouldn't be the same.
bol

no worries... I plan to get fixed line adsl, and anyhow, I do have access to EE @ work :)