2

I am currently using the following command in Linux to get specifics on network problems. 

tshark -r file.pcap -q -z io,stat,1,\

"COUNT(tcp.analysis.retransmission) tcp.analysis.retransmission",\

"COUNT(tcp.analysis.duplicate_ack)tcp.analysis.duplicate_ack",\

"COUNT(tcp.analysis.lost_segment) tcp.analysis.lost_segment",\

"COUNT(tcp.analysis.fast_retransmission) tcp.analysis.fast_retransmission"

This outputs a nice table with lots of good information. However, I would like to know what other columns I could add to get more things like incorrect checksums, and something that could possibly point out network congestion. Pretty much anything needed to point out performance problems.

Xavier Lucas
  • 13,095
  • 2
  • 44
  • 50
user53029
  • 629
  • 3
  • 14
  • 36

1 Answers1

1

Network congestion is usually well handled by TCP itself using either slow-start, congestion avoidance, or fast-restransmit / fast-recovery algorithms described in RFC 2581. TCP will try to fix things up before significant congestion happens.

Now if you are in a very particular case, you could add the RTT measurement and it's variance, track the sender's window size (cwnd) and trace CWR and ECE flags appearance.

PS : Checksum processing is commonly offloaded to the NIC driver so it won't be a good metric to monitor as it will appear broken in libpcap-based tools.

Community
  • 1
Xavier Lucas
  • 13,095
  • 2
  • 44
  • 50