Solved

TCP Retransmission

Posted on 2013-11-26
6
3,150 Views
Last Modified: 2016-11-23
I am investigating a problem that has arisen after changing a PC (updating to a new Dell PC). the operating system is windows Xp SP3.
The application software was running on the old system without any problems. The application communicates with several Agilent Digital voltmeters using the SCPI protocol over Ethernet (TCP port 5025).  After the hardware was changed, the same application started to encounter frequent timeouts (as timed in the application).
I installed Wireshark on the PC and captured the Ethernet port traffic with a capture filter of
host 10.41.3.123 (and the other IP addresses of the voltmeters). The PC IP address is 10.41.8.98 and the digital voltmeter IP address is 10.41.3.123.
I notice that there are several TCP Retransmissions from the PC according to Wireshark and would like to gain second opinions as to the probable cause.
Since Wireshark indicates no intervening packets between the retries, I am concluding that the retries are being generated by the PC  network card driver (or even the network card itself ?). Wireshark indicates a header checksum error on all the packets sent by the PC but I am assuming that this is because the checksum is being generated by the network card firmware or the windows driver and is not available to wireshark. The network card driver doesn't have the ability to be configured so as to disable checksum error discards.
My conclusion is that the issue is due to the PC network card since the problem was not evident when the original PC hardware was being used.
I attach a Wireshark capture log and ask for comments to either confirm or correct my conclusions.
Range3.docx
0
Comment
Question by:alcindor
6 Comments
 
LVL 57

Accepted Solution

by:
giltjr earned 250 total points
ID: 39677404
You can ignore the checksum errors.  Wireshark see what leaves the driver.  Since the NIC generates these they are not valid when wireshark gets the data.

The re-transmits are because the PC has not received the ACK yet.    These are being generated by TCP, not the NIC.

Somewhere the data is getting dropped or the remote device is so busy it can't respond.

If possible I would try doing packet captures at various points within the network between the new PC and the remote device.
0
 
LVL 19

Assisted Solution

by:Miguel Angel Perez Muñoz
Miguel Angel Perez Muñoz earned 250 total points
ID: 39677616
Sometimes auto full duplex fail and causes data lost. This causes some retransmissions because one of machines not receive ack. I suggest you, change your ethernet cable and check ethernet switch port and computer ethernet configuration, then set to 10 half and test, next go to 10 full, 100 half and 100 full and see if timeouts get out.
0
 
LVL 2

Author Comment

by:alcindor
ID: 39677976
What determines the period that elapses before a retransmission occurs when no ack is received ?  I notice that the time between retries increases with successive retries.
I will be performing the checks suggested by Drashiel over the next 2 days starting tomorrow afternoon. I'm not sure if I can capture at any other point on the network as there may be no mirror port on the Ethernet switch and it is doubtful if I could get a port configured as such as this is being operated in a factory production environment and configuring the switch would pose a potential risk.
Thanks for you suggestions, I will get back to you soon.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 57

Expert Comment

by:giltjr
ID: 39678124
This is part of the TCP stack.  By design TCP will increase the amount of time between retransmissions.  

The assumption is that there is congestion along the path causing and it wants to wait a little longer each time.

Is the switch a managed switch?  

Can you see what the switch thinks the speed and duplex is for that port?

If the switch is set to fixed something, then the PC should be set for the same fixed settings.
0
 
LVL 44

Expert Comment

by:Darr247
ID: 39678461
You can also check the Advanced tab on your network card's Configuration and see if there's a checksum offload option there... if it's enabled, try disabling it and see if that stops the checksum errors on the outbound packets in Wireshark.  NIC Properties - Advanced - Checksum Offload
I'm pretty-sure the option to use/ignore checksum in Wireshark's TCP protocol Preferences is only for incoming packets (re-assembly will not be attempted if you tell it to use the checksums and there is a bad one). Wireshark - Preferences - Protocol - TCP (click for larger)
0
 
LVL 2

Author Closing Comment

by:alcindor
ID: 39684158
In my absence, someone disabled the on-board NIC and fitted a USB Ethernet adapter which seems to have fixed the issue as there are now no re-transmissions or timeouts in the past 36 hours. I didn't get the opportunity to do any of the checks that you suggested so we still don't know what the root cause was. The on-board NUI was an Intel 82579LM which seems to have been commented on in various web sites where it seems that there have been issues with windows drivers having to be installed in the correct order.
since the machine is in a production environment, it is un-likely that we will be able to revert to the on-board NIC and try to establish the cause. There are no free PCI slots on the PC motherboard.
Thanks for you help,

Roger
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now