This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do I find cause of packet overruns?

0

I've just been stuck with solving an issue on a clients backup server. "Backup performance is awful" was my only description before being dumped into this situation on this beautiful (albeit cold) Saturday.

Anyways, we were seeing output packet drops at the switch (cisco 4509). Disabled QoS on all server ports and that immediately stopped.

However, the "interface details" tab in Wireshark shows an ever increasing value under statistics "Packets not received due to overrun". Dozens of these a second.

I setup PRTG to monitor bandwidth, I'm seeing a steady 50,000 kbits/sec. The port isn't being throttled near as I can tell.

Any tips how I can track down the cause of this "overrun"?

Any help is appreciated. Thank you.

asked 01 Dec '12, 12:12

JonnyTheG's gravatar image

JonnyTheG
0111
accept rate: 0%


One Answer:

0

"Packets not received due to overrun" is the number reported by a OID_802_3_RCV_OVERRUN request to the driver; the page for it says it's "The number of frames not received due to overrun errors on the NIC."

When the "Interfaces" dialog is open, the interfaces are all open and capturing packets (that's where the statistics in that dialog come from); the overruns may just mean that the machine running Wireshark isn't processing packets fast enough - and that's probably processing in Windows before the packets reach Wireshark/dumpcap, as "overrun errors on the NIC" means, I think, "packets are coming in faster than the host driver can remove them from the driver's ring buffer" or possibly even "faster than the NIC can handle them". If Wireshark is running on one of the machines involved with the backup, the problem may just be that there's too much traffic for the machine to handle.

If there were a program that reported adapter statistics such as the overrun count without doing any capturing, I'd suggest running that and seeing whether it reports overruns - if so, that means that the overruns can't be blamed on running Wireshark, in which case you're probably just overloading the machine. I don't know of one, though, and some Googling didn't turn anything up.

answered 02 Dec '12, 16:31

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

I think the server is overloaded, too. The value increments regardless of Wireshark being open, open and capture or closed.

(02 Dec '12, 19:47) JonnyTheG

a few things to check/consider.

  • if there is adapter teaming in place, disable it (if you can) and test again.
  • overruns can occur due to an overload (how many packets/s do you see in Wireshark) or due to problems with the NIC hardware or the interrupt handling in the OS (in conjunction with the driver). If the packet rate you see in Wireshark is not 'that high' (a few hundred packets per second or less), you might have a problem with the hardware (replace the NIC, update NIC firmware ) or with the driver (update it).
(02 Dec '12, 23:18) Kurt Knochner ♦