why majority of the network packets are small?

Unanswered Question
Apr 23rd, 2007

Hi forum,

My sniffer shows that majority of my network packets are are shorter frame length, what could be the cause of this? when I check my routers, I see lots of buffer misses centered more on the shorter frame length. Will it impact my network throughput, what could be the causes.

Thanks much,



Small buffers, 104 bytes (total 64, permanent 50, peak 174 @ 7w0d):

28 in free list (20 min, 150 max allowed)

118546478 hits, 8615 misses, 10959 trims, 10973 created

592 failures (0 no memory)

Middle buffers, 600 bytes (total 28, permanent 25, peak 76 @ 7w0d):

19 in free list (10 min, 150 max allowed)

10372783 hits, 791 misses, 1074 trims, 1077 created

151 failures (0 no memory)

Big buffers, 1536 bytes (total 50, permanent 50, peak 66 @ 2w0d):

49 in free list (5 min, 150 max allowed)

14616687 hits, 133 misses, 16 trims, 16 created

92 failures (0 no memory)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (6 ratings)
leighharrison Tue, 04/24/2007 - 01:04

Hi there,

When you sniff the traffic, what kinds of packets are you getting? That does seem to be a lot of small packets, but then again, that could be the type of traffic that your network is sending.

If you could post a brief summary of the kind of traffic (perhaps nbar?), then I could advise a little better.

It will boil down to: either the network is experiencing more small packets that it should be (excess pings, arps, etc), in which case you'll need to have a look at the sources of the traffic. Or that kind of traffic is perfectly normal for your network and you'll need to tune your buffers to be more efficient.

Check out this link to have read up on the different numbers in the buffer tables:-


Best Regards,


** Please rate all posts **

paulnigel Tue, 04/24/2007 - 01:26

Hi LH,

Thanks much for the explanation. attached is the NBAR capture on my router.

I will go through the link to understand further.

Thank you very much,


leighharrison Tue, 04/24/2007 - 01:43

Hello again!

This looks like run of the mill traffic to me. I did notice that on s0/2/0 and on the other interfaces, the RTP traffic and the Telnet traffic was quite high - I'm guessing that you've got VoIP? These are quite small network packets, so it would seem that there is nothing too odd on your network (apart from the big lumps of Napster and edonkey on Fast 0/0!!).

I would look at tuning the buffers a little, there is a link on that last url I posted, which will take you to the Cisco best practice way of tuning them.

I would also look at putting in some network monitoring, so you can start base lining and analysing the traffic. For things like this, I would usually mirror the traffic on the F0/0 port that connects to the switch and then plug in some monitoring software. Some of the best open source (free AND great) stuff that I use is Ntop. Have a look at this link for more details and some pretty pictures:- http://www.ntop.org/overview.html

It runs best on linux, but if you're not a linux fan, then you can just download an NTOP VMware image from here:- http://www.vmware.com/vmtn/appliances/directory/334



** Please rate all posts **

paulnigel Tue, 04/24/2007 - 15:52

Hi LH,

You are really a helpful guy.

Thanks for the link too, I will try that out.

For the Napster and edonkey, the traffic comes from my windows domain controller, I cannot find the software being installed on the machine, generally what could be the cause of this?

Thanks much,


leighharrison Wed, 04/25/2007 - 01:09

Hey fella,

It could be a red herring.

If you issue the command "show ip nbar port-map" it will tell you how it's recognising the different protocols.

It could just be a coincidence that the traffic is hitting those specific ports that the router believes is kazaa etc.

If you've had a look and it's not there, then it's probably fine!

Best Regards,


** Please rate all posts **


This Discussion