论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2006-08-12 21:34 |只看该作者 |倒序浏览

通过netstat -I enX -sp tcp
收集发送的TCP包数和retransmit的包数，间隔一定时间过后
再次收集这两个数值，分别相减后相除，可得出在此采样时间内的TCP重传率，通过一段时间的监控数据收集
发现如下怪异现象：
某主机A几乎没有重传，而主机B却受到大量重传率告警邮件（自己编写脚本收集数据，阈值30%)
主机A和主机B接入同一台交换机，又经过ping测试（从其它主机）
主机A大包小包都能ping通，但主机B ping >=1473字节的包不能ping通
已确认两台主机TCP/IP协议栈配置一样（IBM 小型机，操作系统AIX5.3），网卡MTU和配置参数一样，网卡型号，网卡微码，主机微码等环境一样，后又测试交换两台小机光纤网卡所连光纤线，主机B仍然是TCP重传率很高，请大家帮忙看看，多谢！

[ 本帖最后由 eryk 于 2006-8-13 21:11 编辑 ]

文库|博客

testab

丰衣足食

论坛徽章:: 0

2楼 [报告]

发表于 2006-08-13 11:08 |只看该作者

网络封帧的问题？或者ieee 802.1q 的trunk设置？

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

eryk

白手起家

论坛徽章:: 0

3楼 [报告]

发表于 2006-08-15 00:20 |只看该作者

使用iptrace抓包如下（查看网络重传监控邮件，截取在那个时间段内通信包）
Packet Number 14031
ETH: ====( 60 bytes received on interface en2 )==== 20:07:00.579927920
ETH: [ 00:e0:fc:3d:45:83 -> 00:11:25:bd:3c:1b ]  type 800  (IP)
IP:    < SRC =    10.195.0.68 >
IP:    < DST = 172.18.32.78 >  (market)
IP:    ip_v=4, ip_hl=20, ip_tos=0, ip_len=40, ip_id=1282, ip_off=0
IP:    ip_ttl=62, ip_sum=a067, ip_p = 6 (TCP)
TCP: <source port=10235, destination port=80(http) >
TCP: th_seq=683658311, th_ack=0
TCP: th_off=5, flags<SYN>
TCP: th_win=1400, th_sum=b5b1, th_urp=0

Packet Number 14032
ETH: ====( 60 bytes transmitted on interface en2 )==== 20:07:00.579969131
ETH: [ 00:11:25:bd:3c:1b -> 00:00:5e:00:01:20 ]  type 800  (IP)
IP:    < SRC = 172.18.32.78 >  (market)
IP:    < DST =    10.195.0.68 >
IP:    ip_v=4, ip_hl=20, ip_tos=0, ip_len=44, ip_id=25947, ip_off=0 DF
IP:    ip_ttl=60, ip_sum=20a, ip_p = 6 (TCP)
TCP: <source port=80(http), destination port=10235 >
TCP: th_seq=3816961830, th_ack=683658312
TCP: th_off=6, flags<SYN | ACK>
TCP: th_win=65535, th_sum=88b3, th_urp=0
TCP: mss 1460

Packet Number 14033
ETH: ====( 60 bytes received on interface en2 )==== 20:07:00.580263558
ETH: [ 00:e0:fc:3d:45:83 -> 00:11:25:bd:3c:1b ]  type 800  (IP)
IP:    < SRC =    10.195.0.68 >
IP:    < DST = 172.18.32.78 >  (market)
IP:    ip_v=4, ip_hl=20, ip_tos=0, ip_len=40, ip_id=1283, ip_off=0
IP:    ip_ttl=62, ip_sum=a066, ip_p = 6 (TCP)
TCP: <source port=10235, destination port=80(http) >
TCP: th_seq=683658312, th_ack=3816961831
TCP: th_off=5, flags<FIN | ACK>
TCP: th_win=1400, th_sum=9af7, th_urp=0

Packet Number 14034
ETH: ====( 60 bytes transmitted on interface en2 )==== 20:07:00.580268565
ETH: [ 00:11:25:bd:3c:1b -> 00:00:5e:00:01:20 ]  type 800  (IP)
IP:    < SRC = 172.18.32.78 >  (market)
IP:    < DST =    10.195.0.68 >
IP:    ip_v=4, ip_hl=20, ip_tos=0, ip_len=40, ip_id=25948, ip_off=0 DF
IP:    ip_ttl=60, ip_sum=20d, ip_p = 6 (TCP)
TCP: <source port=80(http), destination port=10235 >
TCP: th_seq=3816961831, th_ack=683658313
TCP: th_off=5, flags<ACK>
TCP: th_win=65535, th_sum=a06f, th_urp=0

Packet Number 14035
ETH: ====( 60 bytes received on interface en2 )==== 20:07:00.580271855
ETH: [ 00:e0:fc:3d:45:83 -> 00:11:25:bd:3c:1b ]  type 800  (IP)
IP:    < SRC =    10.195.0.68 >
IP:    < DST = 172.18.32.78 >  (market)
IP:    ip_v=4, ip_hl=20, ip_tos=0, ip_len=40, ip_id=1284, ip_off=0
IP:    ip_ttl=62, ip_sum=a065, ip_p = 6 (TCP)
TCP: <source port=10235, destination port=80(http) >
TCP: th_seq=683658312, th_ack=3816961831
TCP: th_off=5, flags<FIN | ACK>
TCP: th_win=1400, th_sum=9af7, th_urp=0

Packet Number 14036
ETH: ====( 60 bytes transmitted on interface en2 )==== 20:07:00.580275395
ETH: [ 00:11:25:bd:3c:1b -> 00:00:5e:00:01:20 ]  type 800  (IP)
IP:    < SRC = 172.18.32.78 >  (market)
IP:    < DST =    10.195.0.68 >
IP:    ip_v=4, ip_hl=20, ip_tos=0, ip_len=40, ip_id=25949, ip_off=0 DF
IP:    ip_ttl=60, ip_sum=20c, ip_p = 6 (TCP)
TCP: <source port=80(http), destination port=10235 >
TCP: th_seq=3816961831, th_ack=683658313
TCP: th_off=5, flags<ACK>
TCP: th_win=65535, th_sum=a06f, th_urp=0

Packet Number 14037
ETH: ====( 60 bytes transmitted on interface en2 )==== 20:07:00.580337749
ETH: [ 00:11:25:bd:3c:1b -> 00:00:5e:00:01:20 ]  type 800  (IP)
IP:    < SRC = 172.18.32.78 >  (market)
IP:    < DST =    10.195.0.68 >
IP:    ip_v=4, ip_hl=20, ip_tos=0, ip_len=40, ip_id=25950, ip_off=0 DF
IP:    ip_ttl=60, ip_sum=20b, ip_p = 6 (TCP)
TCP: <source port=80(http), destination port=10235 >
TCP: th_seq=3816961831, th_ack=683658313
TCP: th_off=5, flags<FIN | ACK>
TCP: th_win=65535, th_sum=a06e, th_urp=0

Packet Number 14038
ETH: ====( 60 bytes received on interface en2 )==== 20:07:00.580728020
ETH: [ 00:e0:fc:3d:45:83 -> 00:11:25:bd:3c:1b ]  type 800  (IP)
IP:    < SRC =    10.195.0.68 >
IP:    < DST = 172.18.32.78 >  (market)
IP:    ip_v=4, ip_hl=20, ip_tos=0, ip_len=40, ip_id=1285, ip_off=0
IP:    ip_ttl=62, ip_sum=a064, ip_p = 6 (TCP)
TCP: <source port=10235, destination port=80(http) >
TCP: th_seq=683658313, th_ack=3816961832
TCP: th_off=5, flags<ACK>
TCP: th_win=1400, th_sum=9af6, th_urp=0

Packet Number 14039
ETH: ====( 60 bytes received on interface en2 )==== 20:07:00.580828012
ETH: [ 00:e0:fc:3d:45:83 -> 00:11:25:bd:3c:1b ]  type 800  (IP)
IP:    < SRC =    10.195.0.68 >
IP:    < DST = 172.18.32.78 >  (market)
IP:    ip_v=4, ip_hl=20, ip_tos=0, ip_len=40, ip_id=1286, ip_off=0
IP:    ip_ttl=62, ip_sum=a063, ip_p = 6 (TCP)
TCP: <source port=10235, destination port=80(http) >
TCP: th_seq=683658313, th_ack=0
TCP: th_off=5, flags<RST>
TCP: th_win=1400, th_sum=b5ad, th_urp=0

目前比较疑惑的地方
1、为什么3步握手时发送SYN标志的客户端10.195.0.68MAC地址与
服务器172.18.32.78返回SYN+ACK的包对应的MAC地址不是一样
使用lscfg -vl 看服务器网卡MAC为001125BD3C1B
网关171.18.32.1 MAC使用arp －a查看为
? (172.18.32.1) at 0:0:5e:0:1:20 [ethernet] stored in bucket 102
? (172.18.32.2) at 0:e0:fc:3d:45:83 [ethernet] stored in bucket 103
返回SYN+ACK的MAC地址对应的IP地址却为172.18.32.2
2、为什么3步握手还未结束，客户端10.195.0.68马上发送FIN+SYN的包

请大家帮忙关注！

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

benjiam

小富即安

论坛徽章:: 0

4楼 [报告]

发表于 2006-08-22 22:16 |只看该作者

.... 看了一下你的tcp 回报走的不是同一个线路

来的是00:e0:fc:3d:45:83 -> 00:11:25:bd:3c:1b
00:11:25:bd:3c:1b -> 00:00:5e:00:01:20

ip 占会选择一条比较好的路由走。看来这条路又不好。

你尝试调整一下路由呢？

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

返回列表

Chinaunix › 论坛 › IT运维 › 网络技术 › tcp重传率过高

tcp重传率过高 [复制链接]

浏览过的版块