+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 19
Wired Networks Thread, Trace a Network Fault - Packet Capturing Help... in Technical; So, we've got something generating a shed-load of traffic and killing our Internet connection. I've run a packet sniffer, but ...
  1. #1
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,485
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    75

    Trace a Network Fault - Packet Capturing Help...

    So, we've got something generating a shed-load of traffic and killing our Internet connection. I've run a packet sniffer, but don't totally understand what I'm looking at, so was hoping for some help.

    The only broadcasts detected (scanned from my PC and from the DC server, but can try elsewhere as people advise...) are ARP requests to/from the servers and Internet gateway, which are presumably okay. There are LOTS of bad SMB2 and TCP packets between my PC and the server with an "incorrect header checksum" which apparently might be caused by "IP checksum offload" - is that something to be concerned about?

    I'll try port mirroring our Internet uplink too, since that seems to be where the issue is (that, or our Gig network is too fast for the bad packets/device to have a noticeable impact). That said, our DC server acts as DNS, so doesn't that mean that any Internet traffic would be visible from the server too?

  2. #2

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,817
    Thank Post
    873
    Thanked 1,675 Times in 1,458 Posts
    Blog Entries
    12
    Rep Power
    444
    Do you have some kind of router or firewall you can see where the traffic is coming from?

  3. #3
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,485
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    75
    The router doesn't log traffic, so I'd need to set the sniffer up alongside it to get anything helpful.

  4. #4

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,249
    Thank Post
    110
    Thanked 242 Times in 193 Posts
    Blog Entries
    1
    Rep Power
    74
    If you are RBC connected, or your ISP is friendly you could ask them to take a look at the traffic leaving your site.

    A more physical method would be to isolate your LAN from the firewall and bring it back switch by switch, starting with your servers.

    I don't suppose anyone has brought in a personal computers recently, running say iTunes match?

  5. #5
    bio
    bio is offline
    bio's Avatar
    Join Date
    Apr 2008
    Location
    netherlands
    Posts
    520
    Thank Post
    16
    Thanked 130 Times in 102 Posts
    Rep Power
    37
    The "incorrect header checksum" problem can be solved by disabling ALL ip offload capabilities on your NIC (the machine you use for sniffing).

    regards
    bio..

  6. #6
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,485
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    75
    Quote Originally Posted by bio View Post
    The "incorrect header checksum" problem can be solved by disabling ALL ip offload capabilities on your NIC (the machine you use for sniffing).
    Are incorrect header checksums an issue? I can go round every PC disabling the offloading, but obviously want to be reasonably sure it will solve the problem before going and doing it.

  7. #7

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,249
    Thank Post
    110
    Thanked 242 Times in 193 Posts
    Blog Entries
    1
    Rep Power
    74
    i think bio meant "to eliminate the checksum error disable all offloading functionality on the NIC you are using to sniff the packets" rather than on all NICs on your lan.

  8. #8
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,485
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    75
    Yes, I got that. My question was whether having these checksum errors is a problem, or if I should continue looking for something else which is causing our issues...

  9. #9
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,421
    Thank Post
    508
    Thanked 282 Times in 258 Posts
    Rep Power
    81
    are you SURE someone hasnt plugged a router or something in somewhere or a switch and it's causing your network to reconverge ? I saw this at the college stacks of switches and servers offline / not accessible via the network because someone plugged in a little Belkin router in one of the IT rooms and it was a port that there PC was plugged into, the Belkin had DHCP enabled and eventually computers etc etc where requesting IP addresses from this router rather than from the correct DHCP server, the PC's that responded would loose all internet connectivity because they were still logged on but had gotten a new IP but couldnt talk to the right gateway, it's worth double checking!

  10. #10
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,485
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    75
    Thanks cpjitservices, but it isn't that - our issue is that something is pulling our Internet connection speed down. Run the router on its own, and we get 40Mb; plug our LAN into it and it immediately drops to 25Mb and then keeps doing down until it levels out at 8Mb (at which point BT tether our service to that speed, so even when I remove the offending device, the connection doesn't resume, but that's another story). Sometimes, everyone loses Internet connectivity for a few seconds, during which time the router doesn't respond to pings. There's no evidence of this affecting the rest of our network, so I think it is Internet-bound traffic doing this, although that could be that we don't slave our 1Gb network enough to notice a drop in performance across that.

  11. #11

    Domino's Avatar
    Join Date
    Oct 2006
    Location
    Bromley
    Posts
    4,126
    Thank Post
    215
    Thanked 1,255 Times in 786 Posts
    Blog Entries
    4
    Rep Power
    505
    Quote Originally Posted by enjay View Post
    Thanks cpjitservices, but it isn't that - our issue is that something is pulling our Internet connection speed down. Run the router on its own, and we get 40Mb; plug our LAN into it and it immediately drops to 25Mb and then keeps doing down until it levels out at 8Mb (at which point BT tether our service to that speed, so even when I remove the offending device, the connection doesn't resume, but that's another story). Sometimes, everyone loses Internet connectivity for a few seconds, during which time the router doesn't respond to pings. There's no evidence of this affecting the rest of our network, so I think it is Internet-bound traffic doing this, although that could be that we don't slave our 1Gb network enough to notice a drop in performance across that.
    I had something similar not long ago, and turned out to be faulty ISP equipment - was a job proving it though.

    Is the network equipment setup for SNMP? or can you? MRTG and NTOP may help you track down if it's a machine using all the bandwidth, or the bandwidth itself shrinking 9may also point you to the offending article)
    MRTG - Tobi Oetiker's MRTG - The Multi Router Traffic Grapher
    http://www.ntop.org/

  12. #12
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,485
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    75
    Not faulty ISP equipment, as we've swapped other equipment in and the problem remains.

    I'll give MRTG a try though - that looks more friendly than port-mirroring the router and running Wireshark on it. It may well allow me to identify the source without having to unplug everything too. Thanks.

  13. #13
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,421
    Thank Post
    508
    Thanked 282 Times in 258 Posts
    Rep Power
    81
    Dodgy cable(s) perhaps have you replaced all the cabling to rule it out ???

  14. #14
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,485
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    75
    Quote Originally Posted by cpjitservices View Post
    Dodgy cable(s) perhaps have you replaced all the cabling to rule it out ???
    Not yet - I need to find where the issue is coming from before I start doing things like that...

  15. #15

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,249
    Thank Post
    110
    Thanked 242 Times in 193 Posts
    Blog Entries
    1
    Rep Power
    74
    Is this really a problem for your users? (as an example I used to have a 100Mb feed, but due to the way the RBC controlled the pipe no individual host got more than a few Mb/s at busy times, but they would all get a consistant capped amount - it annoyed those who felt they ought to get 100Mb/s but in reality it didn't affect their ability to teach or learn)

    Is the problem still there out of hours?

    Have you tried isolating the fault by half-splitting your LAN? <-- this is really what I meant suggested isolating your router and then bringing things back switch by switch.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 18
    Last Post: 16th June 2011, 02:56 PM
  2. Replies: 2
    Last Post: 2nd September 2010, 05:10 PM
  3. network design lots of help needed
    By djgreek in forum Wireless Networks
    Replies: 3
    Last Post: 3rd November 2009, 10:30 PM
  4. Tool to trace a network socket?
    By salan in forum Hardware
    Replies: 8
    Last Post: 1st May 2008, 07:01 PM
  5. *CRYING* Help with a BroadBand Router and our Network
    By ninjabeaver in forum Wireless Networks
    Replies: 25
    Last Post: 2nd December 2005, 10:50 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •