We just started noticing a flood of something that is taking our network down every so often during the day. We’re guessing it’s either a broadcast storm of faulty hardware on the network. We setup wireshark and captured about 15 megs of data during one of these “episodes”. I have just started looking into using this program, can anyone suggest what I should be looking for?
email me the logs and i would be glad to look at it.
What i look for is a ton of icmp requests. if you have this then you need find the igmp traffic that causes the icmp flood. This can easily be avoided on the advanced network configuration by filtering the correct stuff.
The igmp request will be a second before the flood, sometimes it can hard to track.
good luck
It’s a 15Mb log, do you mind a large email?
no send it to me
sent.
was this sample taken during the outage?
As far I as I know it was.
as far as I can tell that traffic looks completely normal. Make sure that it was captured during the flood. If it was I would get a second opinion then start looking at hardware/spectrum problems
Ok thanks, i’ll try to get one during a definite outage. Can you let me know what specifically i’m looking for in these logs?
What i look for is a ton of icmp requests. if you have this then you need find the igmp traffic that causes the icmp flood. This can easily be avoided on the advanced network configuration by filtering the correct stuff.
The igmp request will be a second before the flood, sometimes it can hard to track.
If a a BH link, switch, router, or Internet feed is getting saturated you will see this behavior. because you start dropping frames or packets and you get retries. This is exponential as once you hit the saturation point you get retries which adds more traffic, which cause more retries…
Our BH20 hit the wall at around 5M. The whole network would grind down and we’d get increased page timeout, dropped vpn sessions, etc. VoIP would stop working. Upgraded the BH and have not seen that problem since.
Jerry Richardson wrote:
Our BH20 hit the wall at around 5M. The whole network would grind down and we'd get increased page timeout, dropped vpn sessions, etc. VoIP would stop working. Upgraded the BH and have not seen that problem since.
Was this "normal" traffic or p2p 5M worth of traffic? That seems unacceptable to only "get" 5M (parallel) with a 20M backhaul.
5m seems a lil low, whats your link test results show for through put? i have only had latency go through the roof at saturation, not complete loss of connectivity.
20M BH = 14M aggregate.
We were configured for 50% DL = 7M up and down (business internet service)
5M sustained will have 20 to 30% peaks hitting 7M. As soon as that 7M is hit, the retries start.
Link efficiency was fine, no interference.
We have virtually no P2P, and zero multicast traffic.
Some customers saw very slow page loads, other would see timeouts.
aww i got ya, i have all my 20m configured at 75% so i would see like ~9/3m
I have saturated SM’s before thats a comparable result.
Hey!
(excuse me)
We run our BH at 50% and our AP at 75%
I’ve often thought this may be less than ideal, but there are plenty of variables on any given network … .
ahem … . (cough) … .
Has any one had better/worse experience matching the AP% to the BH%?
How about the bandwidth settings in an AP? Anyone fooled around with setting the hard numbers to 75% or 50% of the sustained throughput in the uplink/downlink field, to match the AP downlink percentage? In conjunction with the BH percentage? Any burst in the AP?
How about BH links one removed from the source? What roles does Master/Slave play in a BH link once removed, as pertains to uplink/downlink percentage?
Bueller?
what are we looking for with wireshark, is it the TCP Retransmission