- Posts: 1390
- Thank you received: 0
Network Diagnosis
18 years 3 months ago #16157
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Network Diagnosis was created by Smurf
Hi everyone,
Hopefully someone has experience in this already. I have been doing a packet capture of one of my VLAN's on my Cisco 3750g switch. I have noticed a lot of [TCP Out-Of-Order], [TCP Retransmission], [TCP Dup ACK] & [TCP Fast Retransmission] packets floating around this network.
Anyone know what these are all about and how i can help to diagnose this issue ?
Thanks very much in advance
If you require any further details then please let me know.
Wayne
Hopefully someone has experience in this already. I have been doing a packet capture of one of my VLAN's on my Cisco 3750g switch. I have noticed a lot of [TCP Out-Of-Order], [TCP Retransmission], [TCP Dup ACK] & [TCP Fast Retransmission] packets floating around this network.
Anyone know what these are all about and how i can help to diagnose this issue ?
Thanks very much in advance
If you require any further details then please let me know.
Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
18 years 3 months ago #16158
by Arani
Picking pebbles on the shore of the networking ocean
hi,
TCP-Out-Of-Order = is a TCP segment which has reached a destination practically out of order. each segment is tagged in a specific sequence is which they are spliced so that when they arrive at the destination they can be put back together to form the main application data unit or the ADU. seems like some of your segments are getting delayed or getting lost, and they are resurfacing after the ones after them have reached the destination
TCP-Retransmission = is a segment which has been retransmitted either because the previous transmission was corrupted or the sender did not receive an acknowledgement for it. the TCP stack works on the principle of transmission and acknowledgement. there is a window called the transmission window of time within which an acknowledgement has to reach a sender against a particular transmission of a TCP segment. if it does not receive it, it will re-send the TCP segment bundled into an IP packet. your network seems to be losing a lot of packets.
TCP-DUP Ack = is a duplicate acknowledgement packet. when a packet is received the TCP stack transmits a acknowledgement back to the sender. but if this acknowledgement packet is received late enough for the sender to retransmit the original packet either way, then you are looking at two of the same packets being received by the receiver. one is the original packet, the next one is a duplicate of the first packet because the sender did not receive the acknowledgement in time and decided to retransmit the packet. so the receiver transmits the first acknowledgement, and when it receives the retransmitted packet, it sends a second acknowledgment to the sender. but this time it tags this second acknowlegement as a duplicate acknowledgement of the original packet.
if you read carefully, you will see a pattern here. you are basically losing packets at random in your network, and many times they are not lost but slowed down within the network structure and the transmission media. this leads to retransmissions, duplicates etc. this indicates of a major bottleneck somewhere. try tracing it. traceroute throughout your network to find out where the bottleneck is. if there is none, then try reconfiguring the TCP Acknowledgement Window so that you can avoid retransmissions.
TCP-Out-Of-Order = is a TCP segment which has reached a destination practically out of order. each segment is tagged in a specific sequence is which they are spliced so that when they arrive at the destination they can be put back together to form the main application data unit or the ADU. seems like some of your segments are getting delayed or getting lost, and they are resurfacing after the ones after them have reached the destination
TCP-Retransmission = is a segment which has been retransmitted either because the previous transmission was corrupted or the sender did not receive an acknowledgement for it. the TCP stack works on the principle of transmission and acknowledgement. there is a window called the transmission window of time within which an acknowledgement has to reach a sender against a particular transmission of a TCP segment. if it does not receive it, it will re-send the TCP segment bundled into an IP packet. your network seems to be losing a lot of packets.
TCP-DUP Ack = is a duplicate acknowledgement packet. when a packet is received the TCP stack transmits a acknowledgement back to the sender. but if this acknowledgement packet is received late enough for the sender to retransmit the original packet either way, then you are looking at two of the same packets being received by the receiver. one is the original packet, the next one is a duplicate of the first packet because the sender did not receive the acknowledgement in time and decided to retransmit the packet. so the receiver transmits the first acknowledgement, and when it receives the retransmitted packet, it sends a second acknowledgment to the sender. but this time it tags this second acknowlegement as a duplicate acknowledgement of the original packet.
if you read carefully, you will see a pattern here. you are basically losing packets at random in your network, and many times they are not lost but slowed down within the network structure and the transmission media. this leads to retransmissions, duplicates etc. this indicates of a major bottleneck somewhere. try tracing it. traceroute throughout your network to find out where the bottleneck is. if there is none, then try reconfiguring the TCP Acknowledgement Window so that you can avoid retransmissions.
Picking pebbles on the shore of the networking ocean
18 years 3 months ago #16160
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: Network Diagnosis
Hi,
Thanks for the reply. I did some research today to try and work out why these things were happening. I am ok with what they are just really confussed with how its happening.
Basically, this is all going on within a specific VLAN (two servers on the same subnet), within a single switch (Cisco 3750g). Finding it hard to beleive the that switch is struggling with the amount of traffic saying that its supposed to have a 22Gb backplane.
Hmm, may start to look at the two servers that are having the issue, maybe then open a Cisco TAC on this issue.
Thanks again for the reply
Thanks for the reply. I did some research today to try and work out why these things were happening. I am ok with what they are just really confussed with how its happening.
Basically, this is all going on within a specific VLAN (two servers on the same subnet), within a single switch (Cisco 3750g). Finding it hard to beleive the that switch is struggling with the amount of traffic saying that its supposed to have a 22Gb backplane.
Hmm, may start to look at the two servers that are having the issue, maybe then open a Cisco TAC on this issue.
Thanks again for the reply
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
18 years 3 months ago #16161
by Arani
Picking pebbles on the shore of the networking ocean
Replied by Arani on topic bottleneck
hi,
yes do let us know what you found out. i am interested in such cases. it helps me in my own diagnosis routes i utilize for other commercial networks that i manage
yes do let us know what you found out. i am interested in such cases. it helps me in my own diagnosis routes i utilize for other commercial networks that i manage
Picking pebbles on the shore of the networking ocean
18 years 3 months ago #16162
by jwj
-Jeremy-
Replied by jwj on topic Re: Network Diagnosis
I've fixed a TCP out of order problem by changing the switchport the servers were plugged into. Give it a try, might be a bad port.
-Jeremy-
18 years 3 months ago #16174
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: Network Diagnosis
Argh.........who thought this computing lark was easy :lol:
So, i wondered if anyone can explain something for me ? I started with the TCP RFC (how dry is that) and then found a great document to explain the lower workings of the protocol. Anyhow, i have gone through a packet capture on the network and almost understand it all now, apart from one slight thing so i would be greatful if someone can shed some light onto this ?
Two servers, one ISA Server (external card) and the other IIS. Intermittantly we get [TCP DUP ACK] packets being sent to the IIS server from the ISA Server. What is really confusing me at the moment is, why would any network device send duplicate ACK's ? You send a ACK and thats that, you don't need to wait for another ACK to Acknowledge the fact that you have just sent the ACK in the first place so why send it ?
Thanks in advance for any assistance on this because i will soon have no hair.
Cheers
Wayne
So, i wondered if anyone can explain something for me ? I started with the TCP RFC (how dry is that) and then found a great document to explain the lower workings of the protocol. Anyhow, i have gone through a packet capture on the network and almost understand it all now, apart from one slight thing so i would be greatful if someone can shed some light onto this ?
Two servers, one ISA Server (external card) and the other IIS. Intermittantly we get [TCP DUP ACK] packets being sent to the IIS server from the ISA Server. What is really confusing me at the moment is, why would any network device send duplicate ACK's ? You send a ACK and thats that, you don't need to wait for another ACK to Acknowledge the fact that you have just sent the ACK in the first place so why send it ?
Thanks in advance for any assistance on this because i will soon have no hair.
Cheers
Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.133 seconds