This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

traffic drop after migration

0

Hi Experts, we have done migration from one platform to another platform. after migration , the traffic volume dropped more than 50%. we capture traffic with tcpdump and we see in wireshark that there are many ip fragmentation and re-transmissions in the trace. how can i share this trace to see how much healthy is the traffic being generated ? could the drop be due to fragmentation or re-transmission or some thing in the trace we could not understand. please your kind support is needed to check the trace.

asked 03 Jul '14, 02:02

hanikhatib's gravatar image

hanikhatib
11112
accept rate: 0%


One Answer:

0

Hello, hanikhatib

You migrated What from which platform to which platfom ?

Here some answers to your questions

"How can I share this trace ?"

"How much healthy traffic is being generated" ?

  • Look at the relative sequence numbers if you are interested in healthy TCP traffic.

Could the drop be due to fragmentation or re-transmission or something in the trace we could not understand" ?

  • The drop (= packet loss) probably is due to fragmentation as most firewalls wont allow fragmented ip traffic
  • the re-transmission is a result of packet loss, not a cause.
  • it could be something that we don't understand yet so back to answer number 1 if you want help from us ;-)

Regards Matthias


If I read your comment correctly you changed your network provider...

"we need to analyse the traffic ongoing"

As this is a best-effort Q&A site I think it's not the appropriate place to have an urgent prolem analyzed. I'd suggest you engage a professional network trouble shooting service.

As for wireshark handling: You can use editcap -i 60 to split large traces in smaller pieces and using editcap -s 150 you can even shrink it some more so it would fit on cloudshark and would enable us to take a brief look at it from any device like a smart phone from anywhere. I don't usually carry a PC with wireshark to look at traces in my leisure time ;-)

Anyhow as this is urgent, here's my 10.000 feet suggestion to what might be your problem.

Usually ip fragmentation should not occur as most modern IP stacks use PMTUD these days. This requires packet loss due to fragmentation required but would signal to the sender what the next hop's MTU size would be. This always comes with a delay and poor performance. I've seen this sceario happening when the traffic goes through a VPN infrastructure. To avoid this it is good practice for the VPN routers to reduce the MSS option in the SYN packets. This obviously does not happen in your (new core) environment.

So my suggestion would be to point your network provider to this URL:

http://lmgtfy.com/?q=adjust-mss

answered 05 Jul '14, 00:16

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

edited 05 Jul '14, 08:48

Hi Matthias

we migrated GPRS traffic from one telecom core GGN to a new core GGN. the performance on the new core is low compared to previous core, even new core is much powerful. we investigated all elements in the network without any major issue. now we need to analyse the traffic ongoing. please note that i captured few mins of traffic and it is generating big traffic and i could not upload it to the cloushark.org site , it is 15MB.

so i uploaded it to another web site. https://www.wetransfer.com/downloads/6a4b6206d2dab6439f6eec0aa1f6b17e20140705090105/1ff278f46f75daac7eecfc5e6877da9c20140705090105/dfd5c3

i hope you can have look at the trace and give us any hint regarding the traffic in this capture. none of the team is able to analyse or understand what to do with this traffic capture or if it can tell us what is wrong.

it is very urgent to have any hand or support in this matter. i hope you can help us here. many thanks in advance. BR hani

(05 Jul '14, 02:36) hanikhatib