[lug] Dropped packet question

David Frye dafr at dafr.us
Fri Sep 27 10:20:07 MDT 2013


What does 'netstat -s <interface>' show?

If packets are being dropped, it may have additional information there not shown with ifconfig.


On Sep 26, 2013, at 8:53 AM, Chip Atkinson wrote:

> Thanks.  I'm not seeing errors or dropped packets in ifconfig, which is
> kind of weird, isn't  it?  If ping reports dropped packets, wouldn't that
> droppage appear in the output of ifconfig?  
> 
> On Fri, 27 Sep 2013, Dan Ferris wrote:
> 
>> Start with something easy.  Check ifconfig and see if there are errors 
>> on the interface.  If so, then start by checking hardware. You could 
>> have a bad cable, bad nic, bad switch port, or a duplex mismatch.
>> 
>> Dan
>> 
>> On 9/27/2013 9:31 AM, Davide Del Vento wrote:
>>> Since you control the server, don't the logs tell you something about
>>> the dropped packets? Since you don't see drops with the netbook, you
>>> can rule out the rest of the network: it must be the server box.
>>> 
>>> It may be dropping packets for a variety of reasons, just to mention a
>>> couple of stupid ones: a defective network card or too high CPU load.
>>> 
>>> Cheers,
>>> Davide
>>> 
>>> On Thu, Sep 26, 2013 at 8:48 AM, Chip Atkinson <chip at pupman.com> wrote:
>>>> Greetings all,
>>>> 
>>>> Due to the recent flooding I had to change data centers from my parents'
>>>> basement to mine, which resulted in re-doing my network.
>>>> 
>>>> Now that I've moved and re-IPed the server, I'm seeing large numbers of
>>>> dropped packets, slow ping times, basic network malaise.  I've been
>>>> running a series of 100 pings 5 sec apart and then looking at the reported
>>>> loss figures.
>>>> 
>>>> With comcast's help, I believe that we've eliminated them and their
>>>> hardware.
>>>> 
>>>> I put a small linux netbook on the network in place of the server and was
>>>> able to ping it from outside (vpn to work and out from there) and the
>>>> ping response time and dropped packets were basically gone.  Besides being
>>>> newer hardware and OS, the netbook had no services (web, dns, email).
>>>> 
>>>> I then connected the server and see the dropped packet and slow ping time
>>>> issue again.
>>>> 
>>>> I was using tcpdump and noticed that a large portion of the traffic is DNS
>>>> lookups:
>>>> 
>>>> 08:42:23.411809 IP (tos 0x0, ttl  64, id 42252, offset 0, flags [+],
>>>> length: 1500) 173.14.7.2.53 > 108.174.149.7.2305:  13490| 250/0/1
>>>> bitstress.com. SOA[|domain]
>>>> 08:42:23.411817 IP (tos 0x0, ttl  64, id 42252, offset 1480, flags [+],
>>>> length: 1500) 173.14.7.2 > 108.174.149.7: udp
>>>> 08:42:23.411822 IP (tos 0x0, ttl  64, id 42252, offset 2960, flags [none],
>>>> length: 1150) 173.14.7.2 > 108.174.149.7: udp
>>>> 
>>>> Googling found this:
>>>> http://dnsamplificationattacks.blogspot.com/2013/09/domain-bitstresscom.html
>>>> 
>>>> My question is whether or not the dns traffic could be responsible for all
>>>> the dropped network packets or should I start looking elsewhere for the
>>>> problem?
>>>> 
>>>> I switched network interfaces and took the original server network
>>>> interface off the network, thinking that it could be broadcasting a bunch
>>>> of noise but still am seeing packet losses, though perhaps not as severe.
>>>> 
>>>> 
>>>> Thanks in advance for any insight and help.
>>>> 
>>>> Chip
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Web Page:  http://lug.boulder.co.us
>>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>>> _______________________________________________
>>> Web Page:  http://lug.boulder.co.us
>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>> 
>> _______________________________________________
>> Web Page:  http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>> 
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety


--
David
dafr at dafr.us



More information about the LUG mailing list