Ask Your Question
0

Slow network.

asked 2024-08-01 18:10:02 +0000

Charadeur gravatar image

Okay I'm not really the infrastructure guy but I have a ton of issues on my clients network and am desperate enough to ask here. I suspect a loop or something similar as the client did all their own wiring. The first thing we noted was that voip phones would lose connectivity. But generally slow performance overall. And it has been intermittent but now seems to be all the time. So here is the capture if anyone has any ideas I would appreciate it. https://mega.nz/file/1fF2BbCQ#7wCDnBp...

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by ยป oldest newest most voted
0

answered 2024-08-02 20:43:06 +0000

SYN-bit gravatar image

Something is definitely looping in your network. 99,5% of the traffic comes from one IP address (10.1.1.104) and these packets have weird Ethernet source and destination addresses. It's only a couple of packets, but each is send ~50000 times:

$ tshark -r capture.pcapng -Y "eth.addr==81:00:00:0a:81:00" -T fields -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e ip.id | sort | uniq -c
50499 10.1.1.104    100.20.60.178   35582   443 0xaaf3
48607 10.1.1.104    100.20.60.178   35582   443 0xaaf4
48607 10.1.1.104    100.20.60.178   35582   443 0xaaf5
55784 10.1.1.104    52.34.143.227   40084   443 0xdd70
49893 10.1.1.104    52.34.143.227   40084   443 0xdd71
49890 10.1.1.104    52.34.143.227   40084   443 0xdd72
49887 10.1.1.104    52.34.143.227   40084   443 0xdd73
47561 10.1.1.104    52.34.143.227   40084   443 0xdd74
$

I would start looking at your switches to see on which port the source mac address (00:0a:81:00:00:0a) lives. And maybe shut down that port to see if the problems are gone. Then investigate what is causing this system to misbehave.

edit flag offensive delete link more

Comments

Thank you. That is what I was thinking but I'm the virtualization and server guy not the infrastructure guy. Well I guess I am now but that is another issue. LOL Anyway thanks again now if I can just find the loop. Not every switch in the environment is a managed switch. I might have to just start unplugging unmanaged switches and see which ones solves it.

Charadeur gravatar imageCharadeur ( 2024-08-05 12:49:32 +0000 )edit

Mixing managed and unmanaged switches, maybe each doing different versions of spanning-tree might not be the best way to connect your virtualization infrastructure ;-)

Good luck with the unplugging and plugging!

(TIP: take a bit of extra time to draw the L1 network diagram while you are in the cabinets, assuming you don't have one at the moment)

SYN-bit gravatar imageSYN-bit ( 2024-08-05 13:39:52 +0000 )edit
add a comment
0

answered 2024-08-02 14:00:26 +0000

hugo.vanderkooij gravatar image

Open Wireshark with the file. Go to Statistics => Conversations : See what stands out.

filter on tcp.analysis.flags notice that is all internet traffic. My guess you send more data then you internet line can handle and your packet get thrown out by the ISP.

Seems intentional. Be it that it is not efficient as a way to limit traffic.

edit flag offensive delete link more

Comments

Thank you that was a great suggestion. I'm still not sure what is going on but at least I have a device to look for that might be chatty.

Charadeur gravatar imageCharadeur ( 2024-08-02 17:36:07 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2024-08-01 18:10:02 +0000

Seen: 154 times

Last updated: Aug 02