Why are ack packets duplicated?

C

cascado2014-11-24 15:07:16

Computer networks

cascado, 2014-11-24 15:07:16

Good afternoon. Recently, the performance of the network has fallen, and specifically of the users of the remoteapp and the network application, a symptom is terrible application lags. When analyzing the network with the Wireshark sniffer, it was found that 95% of the traffic is occupied by "TCP Dup ACK" packets between two virtual machines on one physical server, and strictly in one direction, IIS is deployed on the sending machine (both Win 2008 R2 virtual machines), on the second application server remoteapp. User traffic just goes through this route. Tell me what it could be, in which direction to dig? Screenshot from WIreshark - https://yadi.sk/i/vrkwpQxPcu7Bc. Moreover, this behavior of the network occurs only with at least a minimal load on the application server, i.e. employees work. Thanks in advance.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

T

throughtheether, 2014-11-24
@cascado

I offhand estimated the intensity of traffic (duplicate ack-segments) at 2700 packets per second. In my opinion, this is too much for regular TCP operation. I tend to think about the L2 loop. Observe the level of traffic on key links at the time of the problem. Also, please describe how the virtual network is organized between the hosts, how many network interfaces are on each of the hosts, how they are configured. How many physical interfaces are there on a physical server? How are they configured? How are the ports of the device it is connected to configured? Are there any other virtual hosts on this physical server?

V

Valentin, 2014-11-24
@vvpoloskin

Screenshot closed. Maybe some kind of DDOS Trojan suits? Or maybe an l2 loop somewhere?