Solved

Packet Decoding

Posted on 2008-10-08
6
227 Views
Last Modified: 2012-06-21
After users complaining of network slowness I ran a tcp dump on a server and noticed many

TCP      [TCP Out-Of-Order] 9042 > 52734 [PSH, ACK] Seq=352279 Ack=334509 Win=64076 Len=1460

TCP      [TCP Dup ACK 17864#2] 52734 > 9042 [ACK] Seq=334509 Ack=340599 Win=32768 Len=0

Any tips? Advice

Thanks
0
Comment
Question by:willbaclimon
  • 2
  • 2
6 Comments
 
LVL 57

Accepted Solution

by:
giltjr earned 300 total points
ID: 22677229
The out of order packet indicates that someplace you have two paths between the hosts and that packets are being received out of order.

The duplicate ACK means that somewhere a packet was dropped and the remote side did not see what it expects so it resent the ACK.

Both of these error are normally an indication that there is something in the network path that is saturated, that is running above and beyond it capacity.

I would start looking at link utilization on any WAN links that this traffic may go over.  I would also check to see if you have any old routers that may be being pushed beyond their design capacity.
0
 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 200 total points
ID: 22677916


I agree with gilltjr, Out of order segements and duplicate acks are a sign of congestion, either on the network or on the end systems.

harbor235 ;}
0
 
LVL 7

Author Comment

by:willbaclimon
ID: 22681663
Thank you  both....This is a lan based server application with gig connectivity. I have checked network utilization, switch ports errors, crc's etc.. No luck so far. Although this is a sign of network congestion or issue, I believe it might be application due to this app being in development...Is there any way to prove that?


0
 
LVL 57

Expert Comment

by:giltjr
ID: 22681809
Where did you run the packet capture from?  The server, a mirrored port of something, your desktop?

There is absolutely no way that somebody could connect to this box over a WAN, like say the Internet?

In the dump you should have the 2 IP addresses that this connection deals with and you need to look at the full network path between those two devices.
0
 
LVL 7

Author Comment

by:willbaclimon
ID: 22723496
The issue winded up being the linux server nic drivers.

0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Stuck in INIT/DROTHER 2 23
using BGP Attributes 2 87
New firewall implementation guidance 12 61
Current date-time from Available WiFi connections 10 31
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question