Bart Schaefer wrote: > > On 9/10/07, John R Pierce <pierce at hogranch.com> wrote: > > wireshark can process and display packet capture files from > tcpdump -w > > > > capture a few megabytes of packets on the appropriate > interface of the > > firewall, then transfer them to a workstation with > Wireshark for analysis. > > OK, I've got some output from "tcpdump -w any" but I don't know > precisely what I'm looking for. (I'd be happy to take this off-list.) > I notice that just over 1/3 of the packets are TCP out-of-order > segments and about 4% are duplicate ACKs. > > We also dumped eth0 and eth1 separately. Statistics on the "any" > output show 26Mb/s, but eth0 and eth1 independently are only 10Mb/s > each. > > By the way, those interrupts/sec numbers in my earlier message were > off; I chose a bad moment to look at it, when the peak had subsided. > At peak it's more like 2500-3000 interrupts/sec, sometimes as high as > 3500. int/sec is fine for your hardware. Try a tcpdump of both the external and internal interface at the same time. Try to focus on 1 proto-typical stream of traffic from a known host (like your own) to a known destination from connection open to connection close. Then open up the dump in wireshark and look at the timestamps and if there are any resends with smaller MTUs and such. You want to see if there is a large delay between sent packets and ACKs. -Ross ______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.