mtillbrook Posted June 29, 2011 Report Posted June 29, 2011 Is anyone any good at analysing WireShark captures? I'm not basically! Ive got a school whose network is producing a huge amount of network traffic that is causing problem. Its not a loopback. A 5 second capture from WireShark is attached - if anyone can give me any ideas or useful tips, I would be very grateful!! Thanks!!5second capture.zip
pantscat Posted June 29, 2011 Report Posted June 29, 2011 I'd have a quick word with Mrs Gerard who appears to be doing a lot of file copy/move operations from workstation 172.19.41.135. Other than that... looks all pretty legit to me.
Diello Posted June 29, 2011 Report Posted June 29, 2011 All of your traffic from 172.190.41.250 is creating IP checksum errors which is unlikely to be helping. I would presume this is a server - I would suggest you 1) upgrade the drivers on that machines NIC, and 2) take a look at the settings on that machines NIC and disable any Checksum Offload features (via Device Manager or the NICs seperate utility if one is available). See if that makes a difference. 1
ricki Posted June 30, 2011 Report Posted June 30, 2011 Hi I agree 172.19.41.250 and 172.19.41.135 are both having ilegal check sums one might be the server. Try a different nic card or driver. One of these might be the server receiving all the checksums from the client. Richard
ricki Posted June 30, 2011 Report Posted June 30, 2011 HI I know this will be a silly question but are you using a windows 2008 server? Richard
bio Posted July 1, 2011 Report Posted July 1, 2011 You could try to disable those special nic capabilities by running (in a dos box): netsh interface tcp set global rss=disabled netsh interface tcp set global chimney=disabled netsh interface tcp set global netdma=disabled bio.. 1
ricki Posted July 1, 2011 Report Posted July 1, 2011 Have a look here for details of how Information about the TCP Chimney Offload, Receive Side Scaling, and Network Direct Memory Access features in Windows Server 2008 and are you using ip6 if you are not it might also be worth disabling ip6 on the servers. How to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista, Windows 7, and Windows Server 2008 Sorry I forgot are you getting event id 2012 on the server Richard
mtillbrook Posted July 1, 2011 Author Report Posted July 1, 2011 Hi Guys Thanks for all the replies on this - I have done some of the things mentioned above and things seem to have calmed down a fair bit. Hopefully that will be the issues resolved now but I'll post back if not!! Thanks again!
downloadkid Posted August 31, 2011 Report Posted August 31, 2011 Just came accross your post - thought I 'd ask - did you check the switch logs for broken packets, runts etc. quite often things like this can be caused by a port mis-match; auto on one end, 100 full the other. Then what happens is that as broken packets are dumped by the recieving node which then proceeds to send out a resend request. So traffic builds up quick, worse case senario a broadcast storm.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now