Detect packet drops

[Carter Bullard]

Hey Elof,
You can print % loss for a number of flow types, TCP, RTP, ESP, but if you aggregate all the flow records to try to get a singular loss ratio for the whole "wire", the way aggregation is done, we may not retain loss, if the protocols merged don't all have loss metrics. 

This is a hard detection problem, but you should be able to detect large %loss situations with existing tools.  If you print loss as a percent:
   racluster -r file -m proto -s stime dur sploss dploss - tcp

Do you get anything that looks useful?
Carter




Carter
Carter Bullard, QoSient, LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax

On Oct 25, 2011, at 10:17 AM, elof2 at sentor.se wrote:

> Hi Carter and list!
> 
> Is there any way to easily detect loss in SPAN-traffic?
> 
> If I mirror two 1 Gbps full-duplex ports to a 1 Gbps SPAN port, in theory the switch could try to copy 4 Gbps onto it, resulting in dropped packets.
> 
> The sniffer machine receiving the mirrored traffic could be heavily loaded and drop packets.
> 
> In protocols such as TCP, these drops are detectable, due to gaps in the sequence counters.
> 
> Generating a pcap-file, scp:ing it to a machine running wireshark and then looking at the expert info is such a hassle. I'm looking for a commandline tool that show me when packets are missing (by printing a * for every missed packet) or giving me an estimated ratio of drops per minute.
> 
> Is there such a tool?
> 
> 
> 
> 
> I'm guessing that argus can't help me, since it doesn't distinguish between loss and retransmissions in the 'flgs' field:
>               *     -  Both Src and Dst loss/retransmission
>               s     -  Src loss/retransmissions
>               d     -  Dst loss/retransmissions
> 
> /Elof
> 
>