Identify reason for TCP retransmission

asked 2024-12-26 03:48:47 +0000

Dinged gravatar image

updated 2024-12-26 04:12:12 +0000

I am experiencing slow SCP transfers between servers. MTU has been set to 9216 for all interfaces in the traffic path.

Below is the packet capture from an intermediate switch in the traffic path.

Any guidance will be appreciated!

TCP retransmission is occurring at packet 26,36,38.

1   0.000000 10.10.10.16 → 10.10.20.17 TCP 82 0xf762 (63330) 51661 → 22 [SYN, ECE, CWR] Seq=0 Win=65535 Len=0 MSS=8960 WS=512 SACK_PERM TSval=433249404 TSecr=0
2   0.000000 10.10.10.16 → 10.10.20.17 TCP 74 0xf763 (63331) 51661 → 22 [ACK] Seq=1 Ack=1 Win=71168 Len=0 TSval=433249404 TSecr=3052563362
3   0.000000 10.10.10.16 → 10.10.20.17 SSH 95 0xf764 (63332) Client: Protocol (SSH-2.0-OpenSSH_9.8)
4   0.029006 10.10.10.16 → 10.10.20.17 SSHv2 1290 0xf766 (63334) Client: Key Exchange Init
5   0.031004 10.10.10.16 → 10.10.20.17 SSHv2 154 0xf767 (63335) Client: Diffie-Hellman Key Exchange Init
6   0.039000 10.10.10.16 → 10.10.20.17 SSHv2 186 0xf768 (63336) Client: New Keys, Encrypted packet (len=96)
7   0.146996 10.10.10.16 → 10.10.20.17 SSHv2 138 0xf76b (63339) Client: Encrypted packet (len=64)
8   0.148003 10.10.10.16 → 10.10.20.17 SSHv2 154 0xf76c (63340) Client: Encrypted packet (len=80)
9   0.163001 10.10.10.16 → 10.10.20.17 SSHv2 186 0xf76f (63343) Client: Encrypted packet (len=112)
10   0.274995 10.10.10.16 → 10.10.20.17 TCP 74 0xf78e (63374) 51661 → 22 [ACK] Seq=1686 Ack=1870 Win=71168 Len=0 TSval=433249432 TSecr=3052563378
11   4.509028 10.10.10.16 → 10.10.20.17 SSHv2 170 0xfe60 (65120) Client: Encrypted packet (len=96)
12   4.526026 10.10.10.16 → 10.10.20.17 SSHv2 170 0xfe62 (65122) Client: Encrypted packet (len=96)
13   4.529032 10.10.10.16 → 10.10.20.17 SSHv2 234 0xfe63 (65123) Client: Encrypted packet (len=160)
14   4.557030 10.10.10.16 → 10.10.20.17 SSHv2 570 0xfe6f (65135) Client: Encrypted packet (len=496)
15   4.557030 10.10.10.16 → 10.10.20.17 SSHv2 154 0xfe70 (65136) Client: Encrypted packet (len=80)
16   4.563026 10.10.10.16 → 10.10.20.17 TCP 74 0xfe72 (65138) 51661 → 22 [ACK] Seq=2614 Ack=3214 Win=71168 Len=0 TSval=433249860 TSecr=3052563818
17   4.564033 10.10.10.16 → 10.10.20.17 SSHv2 138 0xfe73 (65139) Client: Encrypted packet (len=64)
18   4.572029 10.10.10.16 → 10.10.20.17 SSHv2 170 0xfe7c (65148) Client: Encrypted packet (len=96)
19   4.572029 10.10.10.16 → 10.10.20.17 SSHv2 170 0xfe7d (65149) Client: Encrypted packet (len=96)
20   4.612020 10.10.10.16 → 10.10.20.17 SSHv2 202 0xfe82 (65154) Client: Encrypted packet (len=128)
21   4.622029 10.10.10 ...
(more)
edit retag flag offensive close merge delete

Comments

Retransmissions are triggered by a lack of ACK packets or by repeated DUP-ACK packets, so you need both flows of the TCP stream (cl->srv AND srv->cl) to be able to analyze this, you only provided the cl->srv flow in your output.

And sharing a pcap makes it so much easier for people on here to help you than using text output, there is a reason we like using Wireshark ;-)

SYN-bit gravatar imageSYN-bit ( 2024-12-26 09:07:50 +0000 )edit
add a comment