Bart Schaefer wrote:
On 9/10/07, John R Pierce pierce@hogranch.com wrote:
wireshark can process and display packet capture files from
tcpdump -w
capture a few megabytes of packets on the appropriate
interface of the
firewall, then transfer them to a workstation with
Wireshark for analysis.
OK, I've got some output from "tcpdump -w any" but I don't know precisely what I'm looking for. (I'd be happy to take this off-list.) I notice that just over 1/3 of the packets are TCP out-of-order segments and about 4% are duplicate ACKs.
We also dumped eth0 and eth1 separately. Statistics on the "any" output show 26Mb/s, but eth0 and eth1 independently are only 10Mb/s each.
By the way, those interrupts/sec numbers in my earlier message were off; I chose a bad moment to look at it, when the peak had subsided. At peak it's more like 2500-3000 interrupts/sec, sometimes as high as 3500.
int/sec is fine for your hardware.
Try a tcpdump of both the external and internal interface at the same time. Try to focus on 1 proto-typical stream of traffic from a known host (like your own) to a known destination from connection open to connection close.
Then open up the dump in wireshark and look at the timestamps and if there are any resends with smaller MTUs and such.
You want to see if there is a large delay between sent packets and ACKs.
-Ross
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.