Detect packet drops
carter at qosient.com
Tue Oct 25 22:33:49 EDT 2011
You can print % loss for a number of flow types, TCP, RTP, ESP, but if you aggregate all the flow records to try to get a singular loss ratio for the whole "wire", the way aggregation is done, we may not retain loss, if the protocols merged don't all have loss metrics.
This is a hard detection problem, but you should be able to detect large %loss situations with existing tools. If you print loss as a percent:
racluster -r file -m proto -s stime dur sploss dploss - tcp
Do you get anything that looks useful?
Carter Bullard, QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
On Oct 25, 2011, at 10:17 AM, elof2 at sentor.se wrote:
> Hi Carter and list!
> Is there any way to easily detect loss in SPAN-traffic?
> If I mirror two 1 Gbps full-duplex ports to a 1 Gbps SPAN port, in theory the switch could try to copy 4 Gbps onto it, resulting in dropped packets.
> The sniffer machine receiving the mirrored traffic could be heavily loaded and drop packets.
> In protocols such as TCP, these drops are detectable, due to gaps in the sequence counters.
> Generating a pcap-file, scp:ing it to a machine running wireshark and then looking at the expert info is such a hassle. I'm looking for a commandline tool that show me when packets are missing (by printing a * for every missed packet) or giving me an estimated ratio of drops per minute.
> Is there such a tool?
> I'm guessing that argus can't help me, since it doesn't distinguish between loss and retransmissions in the 'flgs' field:
> * - Both Src and Dst loss/retransmission
> s - Src loss/retransmissions
> d - Dst loss/retransmissions
More information about the argus