[Oisf-users] packet loss troubleshooting
Cooper F. Nelson
cnelson at ucsd.edu
Wed Dec 9 21:24:45 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I use this script to troubleshoot "live" performance issues on our sensor.
> #!/bin/bash
>
> sudo tcpdump -tnn -c 100000 -i eth2 | awk -F "." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr | awk ' $1 > 100 '
Adjust the interface and packet count (-c) as necessary for your system.
In our case, it turned out about 1/3 of our network traffic originates
from a single /24 on our ISP that uses for host CDN servers (like
Netflix).
- -Coop
On 12/9/2015 1:13 PM, Brandon Lattin wrote:
> Keep in mind that large flows can induce bursty packetloss.
>
> For instance, a perfSonar network monitoring device will test bandwidth
> by shoving many gigabytes of max MTU null padded packets through the
> pipe to a remote perfSonar box. This will result in the whole stream
> being buffered and fed to a single core due to tuple hashing. Chances
> are good that your buffer won't flush fast enough and you'll start
> dropping packets.
>
> Long story short. Know your traffic. See what netflow has to say.
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJWaJwdAAoJEKIFRYQsa8FWkN4H/24Az++Su5kP5kkcdv56A1qy
ljlfHBs3dJenU1PalBF2kBMlSBcN6SZSBpGXdlzIiLtNfCUlXO/uEX3KnNwgknRP
y2y08mAvL9V1l9COtV8k+aLvSO4tps16JTAPG47YkC2NAesIoSlS9wJOmzKvYoTD
cokPPLZbncgI58S4BHk53W+kwIrueUQ2PF6QfCyTei9+StVKyHbwDJnSs65GxYWx
fPmiGblBh6yfZ0fQSSYpBnjFLMGYcATtzPJVNQ1xDY/L5cYnLuEg4Q9oYDTIB0C1
wlrCZp9HvSGh93Nr/SM6GdH2vpzUuLSnwdtHsFbZVWbuooC+ymSc8cttYtSsHfw=
=oNwY
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list