Network Traffic Problems
Is anyone any good at analysing WireShark captures? I'm not basically! Ive got a school whose network is producing a huge amount of network traffic that is causing problem. Its not a loopback.
A 5 second capture from WireShark is attached - if anyone can give me any ideas or useful tips, I would be very grateful!!
I'd have a quick word with Mrs Gerard who appears to be doing a lot of file copy/move operations from workstation 172.19.41.135.
Other than that... looks all pretty legit to me.
All of your traffic from 188.8.131.52 is creating IP checksum errors which is unlikely to be helping. I would presume this is a server - I would suggest you 1) upgrade the drivers on that machines NIC, and 2) take a look at the settings on that machines NIC and disable any Checksum Offload features (via Device Manager or the NICs seperate utility if one is available). See if that makes a difference.
I agree 172.19.41.250 and 172.19.41.135 are both having ilegal check sums one might be the server. Try a different nic card or driver. One of these might be the server receiving all the checksums from the client.
I know this will be a silly question but are you using a windows 2008 server?
It is indeed server 2008r2
You could try to disable those special nic capabilities by running (in a dos box):
netsh interface tcp set global rss=disabled
netsh interface tcp set global chimney=disabled
netsh interface tcp set global netdma=disabled
Have a look here for details of how Information about the TCP Chimney Offload, Receive Side Scaling, and Network Direct Memory Access features in Windows Server 2008 and are you using ip6 if you are not it might also be worth disabling ip6 on the servers.
How to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista, Windows 7, and Windows Server 2008
Sorry I forgot are you getting event id 2012 on the server
Thanks for all the replies on this - I have done some of the things mentioned above and things seem to have calmed down a fair bit. Hopefully that will be the issues resolved now but I'll post back if not!!
Just came accross your post - thought I 'd ask - did you check the switch logs for broken packets, runts etc. quite often things like this can be caused by a port mis-match; auto on one end, 100 full the other. Then what happens is that as broken packets are dumped by the recieving node which then proceeds to send out a resend request. So traffic builds up quick, worse case senario a broadcast storm.