[colug-432] possible LAN issues - tcp retransmits
Rick Hornsby
richardjhornsby at gmail.com
Fri May 22 18:13:17 EDT 2015
Background (skip this for the short version below) -
Had a wide spread residential ISP outage a few weeks ago. It was only
down for a couple of hours, but when it came back the IPTV service was
bad - lots of pixelation and lost audio, etc - but it was also
intermittent. The problem is not related to the TV, the HDMI cables or
anything like that - the same DVR'd program shows the same problems at
the same time on two different TVs (common DVR storage). The problem
also happened on live tv (so not a DVR storage-specific issue).
After a few calls, they sent a tech out. By the time he came out, the
problem seemed to mostly be cleared up on its own - I couldn't
demonstrate the problem on live tv. He said that I wasn't the only one
complaining, that they'd found some part common to several houses that
was misbehaving (OLT maybe?). He also did a couple of things in the
house - changed an RG-6 filter, re-did an ethernet cable.
Everything looked fine when he left, but a day or so later a TV show
that was recorded had the really bad pixelation and audio again. I
called and they escalated the ticket. Since then, it seems to be fine -
a minor glitch or two is all I've noticed. The ISP called yesterday to
follow up with me, told them it seemed to be fine. They queried me
about what kind of gear was on the network in the house, and relayed
that they noticed a large amount of "chatter". When I pressed the guy
on the phone, he said that the notes said it looked like a lot of tcp
retransmit packets and that it might be a source of a problem. He also
said that it usually happens because some piece of equipment is failing.
Query -
I found some info on the interwebs about using tshark like so:
tshark -Y "tcp.analysis.retransmission" -Tfields -e ip.src -e ip.dst
I'm not sure what to do with this information, or what constitutes an
unacceptable volume of retransmits. (This isn't showing me anything
about the rest of the un-retransmitted traffic for comparison.) tshark
on the basement server (archer) is spitting out a pair of IP addresses
(one itself, one remote) - maybe 250 of them in the last 20 minutes?
I'm running the same tshark command on my OSX box upstairs (aztec), but
it doesn't have a counter. Maybe 50 in the last 15 minutes?
I ran an ISP speed test from aztec (Flash based, so can't run it on
archer) and there was a burst of transmit packets (50? 100?) says
tshark. No idea if this is normal?
I don't know if this is related, but on archer, the arp table is full of
LAN IP addresses for devices that don't exist. There are 64 devices in
the table (The DHCP server shows only 12 devices with leases, which
seems more accurate), 45 of which are showing "incomplete". aztec only
has 1 incomplete entry, the rest look like they belong there.
Any thoughts on what to look at or how to better use tshark? Is
archer's arp table weirdness a red herring?
thanks!
-rj
More information about the colug-432
mailing list