[SWLUG] Sniffing for dud packets

bryn hagbard at nildram.co.uk
Tue Jun 3 19:18:07 UTC 2003


Foeh,
I'm not sure if I've got an answer for you but..

> In the school where I work there is a 100 meg fibre link from the server room 
> off to a computer lab at the other end. I suspect it's had it in some way or 
> another since the network that spurs off it is very slow <snip>

Seems reasonable.

> 
> Anyway, I started doing some pings etc and noticed it was losing about 2 to 4% 
> when the network wasn't loaded very much, when I bumped up the packet size to 
> about 13k and did it with some traffic on the network it started dropping 
> more like 40% - I'm not sure if I'm being paranoid but that seems pretty dire 
> because 13k is one segment, and in any case you shouldn't just lose that much 
> stuff on a switched network, right?

Not unless the equipment is in some way faulty. I've seen exactly this
kind of behaviour (seems ok at low rates / small packet sizes, bombs
horribly as you increase load) on copper ether. This has been as a
result of faults at almost every point in different cases. NICs (faults,
bad drivers, dying h/ware), cables, switches etc. It seems ok under
light load but keels when stressed.

Have you got access to the netperf tools?

http://www.netperf.org/netperf/NetperfPage.html

Mainly a *nix thing, but I believe you can build them on windows;
they're very good at hammering network hardware. netperf consists of a
server which you run at one end and a client which generates the traffic
stream. Does tcp/udp and some of the more exotic protocols iirc and it's
also got features for less common transports like atm. You can run one
or two way tests to check for duplex problems. It's simple but effective.

> I thought I might try sniffing some traffic but it didn't turn up an awful lot 
> (except a load of spanning tree spam from a cisco switch owned by county) but 
> I thought maybe it wouldn't since either the switch or the stack would be 
> dropping corrupt stuff before it got to my sniffer.

Think you're right here. Afaik, switched networks normally drop packets
from the outgoing queues in the switches (the queue's full trying to
send over a bad/congested link) so they'd never get to the host you're
sniffing from.

Just a thought, but what's the normal utilization of the link?

>I stole a junk machine and sneakily installed BSD on it, so 

Fantastic! netperf loves BSD...

> run *nix on either end, just not sure what!
gentoo's nice ;)

> The networks guy said you can have a maximum of 2 devices (switches) between 
> any 2 PCs on 100 meg, any more and it won't work. I thought that was just 
> hubs, but I could be wrong.

I've not read that. We definately have more than 2 switches between
machines at work and don't suffer these problems. The route from my desk
to the test cluster I work on goes:

My Box-> switch-> switch-> (long-stretch)-> switch-> Test bed router.

There is an issue with switched networks where packets get in a feedback
loop, called a 'storm' (happens because switches have no concept of
ttl). I've no idea if this could be what's effecting you though as for
me it's a theoretical concept - never seen a wild one. I just wondered
if the bit with the switch at the end you're unsure of could contain a
routing loop.

http://sakima.ivy.net/~carton/academia/switch-bad.html

For a good (if a bit evangelically anti-switch :) description.

This apparently is behind sun's decision to switch to TCP as the default
transport for NFS. The lack of ack'ing in UDP made it too unreliable in
switched networks. As I write that I remember that I'm having strange
and occasional problems with UDP NFS on the link I described above. Hmm.

I might have to think about this some more! (incase anyone else has seen
this, the NFS problem is that the fss go out of sync - updates on the
server are not propagated to the client - even rm'ing files - but the
client doesn't freeze as though it's lost the connection. fuser reports
no processes using the fs btw). I had thought it was due to something on
the server but it's not a big problem and I've not had time to look 
into it.

I'll shurrup now ;)

By the way - I'm new to the list so Hi All! Sorry to make my first
posting such a waffly one! I'll hopefully make it along to one of the
Cardiff meets soon.

Bryn






More information about the Swlug mailing list