Re: [tlug] Slooooooow down: logs, smartctl, DNS?

[Mario De Tore <mariod410@example.com>]

On Mon, Jan 17, 2011 at 12:22 PM, Stephen J. Turnbull
<stephen@example.com> wrote:
> Mario De Tore writes:
>
>  > Well, a quick look didn't show anything out of the ordinary.  The vast
>  > majority of the traffic was SSH (as to be expected based on the setup
>  > you described).  About nine minutes in there was a handful of
>  > audioscrobbler-related DNS lookups. I didn't notice any obvious
>  > network health issues (excessive TCP fragementation, broadcast storms,
>  > etc).
>
> How often are you seeing sync packets for those SSH connections?  SSH
> is relatively expensive to set up and tear down, so if you're seeing a
> lot of SSH connections, that could explain a feeling of network
> conjection.
>
>
> --
> To unsubscribe from this mailing list,
> please see the instructions at http://lists.tlug.jp/list.html
>
> The TLUG mailing list is hosted by the award-winning Internet provider
> ASAHI Net.
> Visit ASAHI Net's English-language Web page: http://asahi-net.jp/en/
>

So, for roughly 10 minutes of traffic I'm only seeing two unique (and
concurrent) SSH streams.  I'm guessing one is the application and the
other is a shell based off the relative stream size (one is about 10
times bigger than the other).  Some oddities:

1. No TCP handshakes for the SSH - presumably the capture was started
after the sessions were established.
2. Based on Wireshark's sequence number analysis almost 40 packets of
SSH traffic are missing.  This could indicate a heavy CPU load on
whatever box the capture was done from.
3. The sequence numbers are all over the place (but generally progress
as expected) and there are a lot of duplicates;  this suggests some
kind of underlying issue with getting the packets from point A to
point B.  I've seen that happen before with a bad patch cable.

If you have the time and spare cable(s) it might be worth swapping out
a segment at a time.  If you are feeling really plucky you could also
ratchet down your MTU to try and improve throughput, but I advise
against that unless you are really comfortable playing around in that
area (lots of unintended consequences can arise).

I gave up on the NFS traffic for now.  All I could figure out is that
you have a very eclectic collection of music.  If I have some downtime
this week I'll look at it some more though.

None of this explains the large amount of TCP connections you reported
earlier though.  Was this capture from that same box?

Take it easy,
Mario