James Harper <james.harper@bendigoit.com.au> writes:
Packet loss? --
I can't tell for sure. There are definitely some packets being dropped as seen from SACK packets, but that's expected with inbound policing, and the missing packets are resent in a timely fashion.
I'd have to capture quite a lot of packets to see the problem though so I haven't been able to analyse it properly at this time.
Making a capture is definitely worth the trouble -- even a large capture is going to be 10s or 100s of MB, especially if you filter it at the libpcap level before you write it out. Also worth glancing at "ip -s l" for anything out of the ordinary. I don't have any specific advice, but I've recently learnt about tshark (wireshark) -z switch to generate stats, and it's handy when I don't already know what to look for. There are a bunch of other things mentioned in Practical Packet Analysis (nostarch press), but the only other one I can remember just now is to toggle the time field between time-since-capture-start and time-since-last-packet, which would make it easy to quickly spot where the gap is. (Re the book, I'd say it's useful to read once, to discover wireshark features, but not worth keeping as a reference text if you already have a good understanding of TCP, IP, UDP, DHCP, DNS, HTTP &c.)