Ethereal-users: RE: [Ethereal-users] Multiple retransmissions

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Matt Pickering" <mpickering@xxxxxxxxxxxxxx>
Date: Tue, 22 Nov 2005 08:43:08 -0500
Thanks for the suggestion - 

This is very possible - I'm very new to packet capturing, so my setup
might be incorrect.  I've looked at the ID's of some frames, as you've
suggested, and the ID is indeed duplicated.  For instance, if I look at
Frame 1 and Frame 2 - they have the same source & dest IP, the same
packet size, almost everything is the same, except the time, which is
.0000030 seconds different between the two packets, and the second
packet has a SEQ/ACK analysis section in the middle screen which says
under TCP Analysis Flags: 
[This frame is a suspected retransmission] 
[The RTO for this segment was: 0.00003000 seconds] 
[RTO based on delta from frame: 1]

The method I used to capture packets is as follows - I have a Cisco 2970
switch, and all but two ports are in Vlan1, and I have set up port 23 to
be the span destination, and vlan1 to be the span source.  The app nodes
and the db node are all in vlan1.  I then put my laptop with Ethereal
into port 23, and started a packet capture.  I suppose this could get
packets twice, but I don't understand how there could be a time
difference if it's the exact same packet. 

I will try to get a smaller packet capture when I get a chance, but I
think maybe we're on to something.  Any other suggestions are helpful
and appreciated. 

Thanks,
Matt 
 

-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Hansang Bae
Sent: Monday, November 21, 2005 11:22 PM
To: ethereal-users@xxxxxxxxxxxx
Subject: Re: [Ethereal-users] Multiple retransmissions

At 04:12 PM 11/21/2005, Matt Pickering wrote:
>[snip]
>miliseconds later, a retransmission.  For instance, I have a packet 
>capture that has approximately 80,000 packets, and 40,000 of those 
>packets are marked as "retransmissions".  When I look at the TCP 
>Analysis Flags, it indicates that "This frame is a (suspected) 
>retransmission).[snip]


Give the above, I would first suspect that the way you captured the
packets was incorrect.  Chances are, you are capturing the packets
twice.  i.e. you are spanning two ports on the switch (port for the web
server and the port for the DB server perhaps?)

If you truly had 40K retransmissions out of 80K packets, I doubt your
program would even work.  Take a look at your IP ID field, you'll
probably see that they are the same.  

So take one frame and look at the ID.  Say it's 14256.  Then type in
"ip.id==14256"  You'll probably find two packets with the same ID.

hsb 

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users