Actually our server is using 30Mb/s right now, we captured current flow with wireshark, however what we saw is suprising, in Protocol Hierachy Statistics, it shows that 99% of this huge traffic is from TCP section but when I click on the + sign to see sub-protocols, it just shows 3% of it is in HTTP and other protocols and 96% source of remaining traffic is not shown at all. I suspect ACK packets as they are the most packets in the capture, So what can cause this and how can we fix it? asked 07 Sep '14, 05:12  CIT Developer |
One Answer:
The protocol hierarchy shows all protocols that Wireshark could determine, so e.g. for 99% TCP it determined 3% to be HTTP. You're right saying that ACK packets are not classified as HTTP (even if they are part of a HTTP communication) since they do not carry a HTTP payload. If you download a huge file over HTTP Wireshark may label the packets transporting the segments as TCP instead of HTTP since there are no HTTP headers/keywords in that payload. What you could do if you wonder about the protocols being used in that 99% is to use the Conversations Statistic to see what ports are used, and filter on conversations to see what content the TCP packets have. The protocol column of the packet list will tell you what protocol Wireshark determined, so if it says "TCP" it didn't find anything more specific. Maybe you have standard protocols like HTTP running on non-standard ports, which may prevent Wireshark from determining what the conversations contain. For HTTP you can add more ports in the protocol preference setting to help Wireshark detect it. answered 07 Sep '14, 08:51  Jasper ♦♦ |
Thanks for your help, Actually it was related to netlimiter application there was something related to it, After I uninstalled netlimiter the ack packets just gone