drastic unicast increase

Unanswered Question
Dec 20th, 2008
User Badges:

I have a increased utilisation of routers in my network (7200). In debuging process I've found out increased unicast number of packets. TReffic expressed in bps is the same as before, but number of packets is increased. Any advice on how could I try to find out what is the problem?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (3 ratings)
Loading.
Giuseppe Larosa Sun, 12/21/2008 - 03:17
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Dragan,

you need to track ip flows and to find out the ones using small packets I would suggest to enable netflow.


see


http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/get_start_cfg_nflow_ps6017_TSD_Products_Configuration_Guide_Chapter.html


Another idea is to see if there has been any change on the application servers and clients software in last times.

I suppose you are using DLSW and other CPU intensive traffic types.

DLSW over TCP encapsulation can send multiple frames inside a single IP packet for example.


Hope to help

Giuseppe


dragec Sun, 12/21/2008 - 03:25
User Badges:

hi


I have netflow enabled, but my netflow collector does not show me much about packet per flow analysis. I can see drastic increase of unicast packets with traffic amount on same level.


br

Joseph W. Doherty Mon, 12/22/2008 - 04:07
User Badges:
  • Super Bronze, 10000 points or more

If it's just one host, not easily.


You might check average packet sizes on your various interfaces.


You might look at IP flow cache summary stats.


You might be able to tell via netflow stats.


Don't recall for sure, but also IP accounting stats might help too.


In all the above you're looking for flows that don't get above a packet size of about 576. If they don't bulk TCP transmissions will send about 3x the number of packets for each 1500 byte [std.] Ethernet packet.

dragec Wed, 12/24/2008 - 00:44
User Badges:

anyhow, I've found source of problem, using netflow to pinpoint suspect source of unicast packets increase, the using net capture to analyse traffic, found it, solve it. Thanks for your replys, to both of you


br

Giuseppe Larosa Wed, 12/24/2008 - 05:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Dragan,

it is kind of you to report the happy end of the case and the methodology you used to find out the source of small packets.


This can help somebody else with a similar issue.


There is also an optional flag to mark as solved a question that can help to show the case is a complete story when looking at the list of threads


Its usage is discretionary but it is meaningful.


Best Regards

Giuseppe


Actions

This Discussion