Packet Trace Whispering
June 15, 2010
Hansang Bae
Senior Vice President | Citi (f.k.a. Citigroup)
Email: hansang@gmail.com
PLEASE REFER TO THE “ANSWERSHEET.DOCX” FILE FOR ADDITIONAL INFORMATION ABOUT THIS PRESENTATION.
THESE SESSIONS WILL BE AVAILABLE ON YOUTUBE: HTTP://WWW.YOUTUBE.COM/USER/HANSANGB
SHARKFEST ‘10
Stanford University
June 14-17, 2010
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
It’s Not the Network!
Problem: Application developers escalate an issue with
slow database transfer.
Troubleshooting Steps:
1. What should you rule out immediately?
2. What affects throughput and why?
3. Once the “usual suspects” have been ruled out at Layers 2, 3, and 4,
move up the stack.
4. Look for patterns and ask the right questions. Not everyone is fluent
with TCP/IP!
5. Setup your Wireshark environment in a standard way. Use
Configuration Manager to help you.
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Don’t Jump to Conclusions!
Another application development team escalates a
“slowness” problem.
Troubleshooting Steps:
1. Trust But Verify (tcp.analysis.flags)
2. Look for telltale signs of problems. (Blink: by Gladwell)
3. Who’s sending and who’s receiving? Is that important?
4. Apply Occam’s Razor when solving problems.
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Sometimes, it really is a Zebra!
FTP Transfers to customers are failing and it’s up to you
to figure out what’s going on.
Troubleshooting Steps:
1. What common FTP problems are there?
(http://slacksite.com/other/ftp.html)
2. Rule out Firewall policies, rule out “non-intelligent”
firewalls that cannot deal with embedded IP information.
3. If you’ve ruled out all the “possibles” …..
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Odd Numbers are Evil!
Software Update System is slow in delivering packages
to staging servers. It impacts 300,000+ users!
Troubleshooting Steps:
1. Usual Suspects (Duplex, Window size, Pkt loss, and LFN)
2. Use the information in the trace to eliminate some of the
“usual suspects.” Some inefficiencies don’t come into
play.
3. MTU problems are common, but MSS problems?
4. MSS is like “cache setting.” Anyone along the path can
modify it!
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
New TCP Features to the Rescue!
If you have packet loss, Selective Acknowledgement
(SACK) may help to improve throughput.
Main Concept:
1. How do you interpret the SACK field? (use real
seq/ack#s)
2. How does SACK help vis-à-vis normal ACK?
3. What is Fast Retransmit and how is it different from
“regular” Retransmission?
4. Is there a downside to using SACK?
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010