论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2006-08-12 21:35 |只看该作者 |倒序浏览

通过netstat -I enX -sp tcp\r\n收集发送的TCP包数和retransmit的包数，间隔一定时间过后\r\n再次收集这两个数值，分别相减后相除，可得出在此采样时间内的TCP重传率，通过一段时间的监控数据收集\r\n发现如下怪异现象：\r\n某主机A几乎没有重传，而主机B却受到大量重传拉率告警邮件（自己编写脚本收集数据，阈值30%)\r\n主机A和主机B接入同一台交换机，又经过ping测试\r\n主机A大包小包都能ping通，但主机B ping >=1473字节的包不能ping通\r\n已确认两台主机TCP/IP协议栈配置一样（IBM 小型机，操作系统AIX5.3），网卡MTU和配置参数一样，网卡型号，网卡微码，主机微码等环境一样，后又测试交换两台小机光纤网卡所连光纤线，主机B仍然是TCP重传率很高，请大家帮忙看看，多谢！\n\n[ 本帖最后由 eryk 于 2006-8-12 21:38 编辑 ]

eryk

白手起家

论坛徽章:: 0

2楼 [报告]

发表于 2006-08-12 22:35 |只看该作者

两台机器之间互相ping没问题\r\n但跨WAN ping就出现A机大包小包能ping通，B机ping >=1473的包不通，\r\n按理说A B都挂在一个交换机上，IP地址为同一子网\r\n目前的环境是A B 的前端连接了防火墙和4层交换设备

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

eryk

白手起家

论坛徽章:: 0

3楼 [报告]

发表于 2006-08-15 00:17 |只看该作者

使用iptrace抓包如下（任截取一时间）\r\nPacket Number 14031\r\nETH: ====( 60 bytes received on interface en2 )==== 20:07:00.579927920\r\nETH: [ 00:e0:fc:3d:45:83 -> 00:11:25:bd:3c:1b ] type 800 (IP)\r\nIP: < SRC = 10.195.0.68 > \r\nIP: < DST = 172.18.32.78 > (market)\r\nIP: ip_v=4, ip_hl=20, ip_tos=0, ip_len=40, ip_id=1282, ip_off=0\r\nIP: ip_ttl=62, ip_sum=a067, ip_p = 6 (TCP)\r\nTCP: <source port=10235, destination port=80(http) >\r\nTCP: th_seq=683658311, th_ack=0\r\nTCP: th_off=5, flags<SYN>\r\nTCP: th_win=1400, th_sum=b5b1, th_urp=0\r\n\r\nPacket Number 14032\r\nETH: ====( 60 bytes transmitted on interface en2 )==== 20:07:00.579969131\r\nETH: [ 00:11:25:bd:3c:1b -> 00:00:5e:00:01:20 ] type 800 (IP)\r\nIP: < SRC = 172.18.32.78 > (market)\r\nIP: < DST = 10.195.0.68 > \r\nIP: ip_v=4, ip_hl=20, ip_tos=0, ip_len=44, ip_id=25947, ip_off=0 DF\r\nIP: ip_ttl=60, ip_sum=20a, ip_p = 6 (TCP)\r\nTCP: <source port=80(http), destination port=10235 >\r\nTCP: th_seq=3816961830, th_ack=683658312\r\nTCP: th_off=6, flags<SYN | ACK>\r\nTCP: th_win=65535, th_sum=88b3, th_urp=0\r\nTCP: mss 1460\r\n\r\nPacket Number 14033\r\nETH: ====( 60 bytes received on interface en2 )==== 20:07:00.580263558\r\nETH: [ 00:e0:fc:3d:45:83 -> 00:11:25:bd:3c:1b ] type 800 (IP)\r\nIP: < SRC = 10.195.0.68 > \r\nIP: < DST = 172.18.32.78 > (market)\r\nIP: ip_v=4, ip_hl=20, ip_tos=0, ip_len=40, ip_id=1283, ip_off=0\r\nIP: ip_ttl=62, ip_sum=a066, ip_p = 6 (TCP)\r\nTCP: <source port=10235, destination port=80(http) >\r\nTCP: th_seq=683658312, th_ack=3816961831\r\nTCP: th_off=5, flags<FIN | ACK>\r\nTCP: th_win=1400, th_sum=9af7, th_urp=0\r\n\r\nPacket Number 14034\r\nETH: ====( 60 bytes transmitted on interface en2 )==== 20:07:00.580268565\r\nETH: [ 00:11:25:bd:3c:1b -> 00:00:5e:00:01:20 ] type 800 (IP)\r\nIP: < SRC = 172.18.32.78 > (market)\r\nIP: < DST = 10.195.0.68 > \r\nIP: ip_v=4, ip_hl=20, ip_tos=0, ip_len=40, ip_id=25948, ip_off=0 DF\r\nIP: ip_ttl=60, ip_sum=20d, ip_p = 6 (TCP)\r\nTCP: <source port=80(http), destination port=10235 >\r\nTCP: th_seq=3816961831, th_ack=683658313\r\nTCP: th_off=5, flags<ACK>\r\nTCP: th_win=65535, th_sum=a06f, th_urp=0\r\n\r\nPacket Number 14035\r\nETH: ====( 60 bytes received on interface en2 )==== 20:07:00.580271855\r\nETH: [ 00:e0:fc:3d:45:83 -> 00:11:25:bd:3c:1b ] type 800 (IP)\r\nIP: < SRC = 10.195.0.68 > \r\nIP: < DST = 172.18.32.78 > (market)\r\nIP: ip_v=4, ip_hl=20, ip_tos=0, ip_len=40, ip_id=1284, ip_off=0\r\nIP: ip_ttl=62, ip_sum=a065, ip_p = 6 (TCP)\r\nTCP: <source port=10235, destination port=80(http) >\r\nTCP: th_seq=683658312, th_ack=3816961831\r\nTCP: th_off=5, flags<FIN | ACK>\r\nTCP: th_win=1400, th_sum=9af7, th_urp=0\r\n\r\nPacket Number 14036\r\nETH: ====( 60 bytes transmitted on interface en2 )==== 20:07:00.580275395\r\nETH: [ 00:11:25:bd:3c:1b -> 00:00:5e:00:01:20 ] type 800 (IP)\r\nIP: < SRC = 172.18.32.78 > (market)\r\nIP: < DST = 10.195.0.68 > \r\nIP: ip_v=4, ip_hl=20, ip_tos=0, ip_len=40, ip_id=25949, ip_off=0 DF\r\nIP: ip_ttl=60, ip_sum=20c, ip_p = 6 (TCP)\r\nTCP: <source port=80(http), destination port=10235 >\r\nTCP: th_seq=3816961831, th_ack=683658313\r\nTCP: th_off=5, flags<ACK>\r\nTCP: th_win=65535, th_sum=a06f, th_urp=0\r\n\r\nPacket Number 14037\r\nETH: ====( 60 bytes transmitted on interface en2 )==== 20:07:00.580337749\r\nETH: [ 00:11:25:bd:3c:1b -> 00:00:5e:00:01:20 ] type 800 (IP)\r\nIP: < SRC = 172.18.32.78 > (market)\r\nIP: < DST = 10.195.0.68 > \r\nIP: ip_v=4, ip_hl=20, ip_tos=0, ip_len=40, ip_id=25950, ip_off=0 DF\r\nIP: ip_ttl=60, ip_sum=20b, ip_p = 6 (TCP)\r\nTCP: <source port=80(http), destination port=10235 >\r\nTCP: th_seq=3816961831, th_ack=683658313\r\nTCP: th_off=5, flags<FIN | ACK>\r\nTCP: th_win=65535, th_sum=a06e, th_urp=0\r\n\r\nPacket Number 14038\r\nETH: ====( 60 bytes received on interface en2 )==== 20:07:00.580728020\r\nETH: [ 00:e0:fc:3d:45:83 -> 00:11:25:bd:3c:1b ] type 800 (IP)\r\nIP: < SRC = 10.195.0.68 > \r\nIP: < DST = 172.18.32.78 > (market)\r\nIP: ip_v=4, ip_hl=20, ip_tos=0, ip_len=40, ip_id=1285, ip_off=0\r\nIP: ip_ttl=62, ip_sum=a064, ip_p = 6 (TCP)\r\nTCP: <source port=10235, destination port=80(http) >\r\nTCP: th_seq=683658313, th_ack=3816961832\r\nTCP: th_off=5, flags<ACK>\r\nTCP: th_win=1400, th_sum=9af6, th_urp=0\r\n\r\nPacket Number 14039\r\nETH: ====( 60 bytes received on interface en2 )==== 20:07:00.580828012\r\nETH: [ 00:e0:fc:3d:45:83 -> 00:11:25:bd:3c:1b ] type 800 (IP)\r\nIP: < SRC = 10.195.0.68 > \r\nIP: < DST = 172.18.32.78 > (market)\r\nIP: ip_v=4, ip_hl=20, ip_tos=0, ip_len=40, ip_id=1286, ip_off=0\r\nIP: ip_ttl=62, ip_sum=a063, ip_p = 6 (TCP)\r\nTCP: <source port=10235, destination port=80(http) >\r\nTCP: th_seq=683658313, th_ack=0\r\nTCP: th_off=5, flags<RST>\r\nTCP: th_win=1400, th_sum=b5ad, th_urp=0\r\n\r\n目前比较疑惑的地方\r\n1、为什么3步握手时发送SYN标志的客户端10.195.0.68MAC地址与\r\n服务器172.18.32.78返回SYN+ACK的包对应的MAC地址不是一样\r\n使用lscfg -vl 看服务器网卡MAC为001125BD3C1B\r\n网关171.18.32.1 MAC使用arp －a查看为\r\n ? (172.18.32.1) at 0:0:5e:0:1:20 [ethernet] stored in bucket 102\r\n ? (172.18.32.2) at 0:e0:fc:3d:45:83 [ethernet] stored in bucket 103\r\n返回SYN+ACK的MAC地址对应的IP地址却为172.18.32.2\r\n2、为什么3步握手还未结束，客户端10.195.0.68马上发送FIN+SYN的包\r\n\r\n请大家帮忙关注！

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

返回列表

Chinaunix › 论坛 › 备份版区 › AIX › 主机TCP重传率过高

主机TCP重传率过高 [复制链接]

浏览过的版块