Sweet--talking about a great source of information in networking! :-) Laura, please allow me to respond inline:
> If you can capture on both sides of the firewall with two time synced WS > systems then you can merge the trace files and note the delay at the > firewall. [Small, James] That sounds like a great idea but I'm a little unclear on how to do it. So, if I have two XP computers synced to the same ntp server (with the built-in SNTP Windows client) and start the captures at close to the same time, would I then be able to use mergecap to successfully merge them in order? If so, I believe that's something I can do remotely and perhaps take another stab at this problem. > 10% is really high - now it may be that there is packet loss somewhere > upstream (closer to the HTTP server) and it's not your firewall's fault at [Small, James] The problem definitely exists without the firewall. However, I'm not letting myself off the hook as the firewall measurably exacerbates the issue. One off the wall idea - the site had two T1's (3.0 Mbps) multiplexed via PPP before. The problems seem to start close to around when they added a third T1 (again via PPP) for a total of approx 4.5Mbps. Is there any chance that this could cause issues - seems to be a pretty standard provider setup... > all. When we a high number of lost packets (which, during the file > download > will cause duplicate ACKs from the client and retransmissions from the > server) we'll run ping potter or ping path to identify where packet loss > may > be occurring - you're kind of comparing apples to oranges, however and may > find your itty bitty pings go flying through while larger packets are > dropped. We have noted a router upstream from us that is dropping packets > through this process, however. > > Do you only find the packet loss when the firewall is in place? Have you > tried jacking in outside the firewall to perform the same download? What > latency times are you seeing? If your duplicate ACK count gets really high > (not just up to DUPE ACK #2 or so), then you may look into latency issues > as > well. [Small, James] There is packet loss/issues with or without the firewall - the firewall just seems to exacerbate it for some reason. When I connect directly to the router (outside of the firewall) I get measurably better performance but I still have somewhat erratic performance and have never been able to get the advertised bandwidth on the connection - even at night with 0 traffic. I did setup PRTG to do pings every 10 seconds (32 bytes) to the ISPs edge router and the first hop router in Chicago (believe at the Chicago NAP). The ISP edge router (12 hops from site) varies between 10-100+ ms for latency. I notice that when the performance becomes erratic, the ping latency times spike. The Chicago router (15 hops from site) varies between 15-130+ ms with occasional drops. One more thing I didn't mention - the problems are mainly between 7-3 when they have their peak load. However, they are usually not getting to more then 70% of their theoretical bandwidth capacity so I'm not sure that it's necessarily a bandwidth problem. When you look at an SNMP graph of their bandwidth usage, it doesn't seem like the are maxing out much and when they do it's very short lived. Ping plotter looks very slick - I just set it up. It appears to give much more detail than other ping/tracert programs I've used. I'll be interested to see what it shows me next week. Any other thoughts? Thanks, --Jim _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
