Wireshark mailing list archives
Re: How to interpret RTT graph
From: Sake Blok | SYN-bit <sake.blok () SYN-bit nl>
Date: Tue, 2 Apr 2019 10:36:08 +0200
Hi, I fully agree with Hugo with regards to needing to look at the (individual) packets to be able to explain this behaviour. There can be tons of reasons. I do have a hunch though, based on the two graphs. As the packet sizes are mostly below MSS, there might be a Nagle/DelayedACK issue in this traffic. Nagle would cause segments to not be sent immediately and DelayaedACK would could ACK's after the delayed ack timer expires (usually 200ms). But again, without looking at the packets, this is just speculating. Cheers, Met vriendelijke groet, Sake Blok Relational therapist for computer systems +31 (0)6 2181 4696 sake.blok () SYN-bit nl <mailto:sake.blok () syn-bit nl> SYN-bit Deep Traffic Analysis http://www.SYN-bit.nl <http://www.syn-bit.nl/>
On 28 Mar 2019 (Thu), at 10:06, Hugo van der Kooij <hugo.van.der.kooij () qsight nl> wrote: Graphs are just that. They can show you some information on where to focus your investigation. But now you have to get into the trenches and fight it out with the sessions in packet to packet combat. Based on just a graph there is no way to answer you questions. So you have to dig into the packet capture AND understand what you are looking at. There is now way to do that based on an interpretation (graph) of a packet capture in an environment no one here knows anything about. Sorry, my cristal ball is out for repairs and I'm not expecting it back anytime soon. Met vriendelijke groet / Kind regards, Hugo van der Kooij network engineer <image057856.png> <image999920.jpg> <image052689.jpg> T: +31 15 888 0 345 F: +31 15 888 0 445 <fax:+31%2015%20888%200%20445> E: hugo.van.der.kooij () qsight nl <mailto:hugo.van.der.kooij () qsight nl> I: www.qsight.nl <https://www.qsight.nl/> Arnhem <https://www.qsight.nl/contact/> ‑ Delft <https://www.qsight.nl/contact/> ‑ Veldhoven <https://www.qsight.nl/contact/> <image222234.png> <https://www.facebook.com/QSight-286897631697216/> <image228962.png> <https://www.linkedin.com/company/qsight-it> <image864457.png> <https://twitter.com/QSight_IT> <image018609.jpg> <http://www.kpn.com/tdd2019>-----Original Message----- From: Wireshark-users <wireshark-users-bounces () wireshark org> On Behalf Of L A Walsh Sent: Thursday, 28 March 2019 07:15 To: Community support list for Wireshark <wireshark-users () wireshark org> Subject: [Wireshark-users] How to interpret RTT graph I was looking to understand the Round Trip Time graph and why it seems to jump up and down between near 0 and 270ms. That doesn't make sense to me -- first I don't see how some of them would have an RTT time of near 0 -- I don't see how that would be possible, so I figure I don't understand how to read the graph. Also, I don't see why the RTT would jump up and down and why there are "gaps" in the graph like between 45-85 seconds, vs. almost a solid-like appearance between 380-410s. Here is the RTT and througput graphs I'm trying to decipher: https://i.imgur.com/4ijLxTJ.jpg It looks like I have a relatively low latency when the graph peaks at around 150ms, but then something causes a jump so that latency climbs to over 250ms. It also seems to be the case where I'm getting low latency that my throughput peaks with average packet length falling from 1500 down to <100bytes. I don't see any clear errors. or why there is such a sudden drop Should I be looking for some type of dropped packets or errors? Could this be cause by my ISP cutting bandwidth in a step-wise manner as a means to control? Or could this be some sort of buffer-bloat with some buffer filling up and something halting output to wait for some buffers to drain...?? Another possibility is the application on my end is running on a high speed internal net with a 9k jumbo frame size -- could the mismatch between that the external frame size of 1.5k be causing some type of hysteresis? Any ideas on how, if it is possible I might even this out? It sorta wreaks havok with the local application... Thanks! ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.wireshark.org%2flists%2fwireshark-users&c=E,1,8ZTsaNKt9SeZzVOdHVaJKKMZ34t7oRBLgJ8QJ3YXFu-GWQgY3-aqBRMtrYwzaHC1h0uBWfzcBeizriU4BhD935QttWCKY5uHvJhIxQkcz_9gLbwsSSZlvLYS7A,,&typo=1 Unsubscribe: https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.wireshark.org%2fmailman%2foptions%2fwireshark-users&c=E,1,-snK-HCy8u_ZyNshnrpjna6CNcpbKQLU2YLFOkH8ZCyX51t8oIpMoSc3ZfuMAUXoj48UEJex4yovrTc1nJTL943AxSP6rl0x7xJOymGA3Msy64w,&typo=1 mailto:wireshark-users-request () wireshark org?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: How to interpret RTT graph Sake Blok | SYN-bit (Apr 02)