How passively monitor for tcp packet loss? (Linux)

How can I passively monitor the packet loss on TCP connections to/from my machine?

Basically, I'd like a tool that sits in the background and watches TCP ack/nak/re-transmits to generate a report on which peer IP addresses "seem" to be experiencing heavy loss.

Most questions like this that I find of SF suggest using tools like iperf. But, I need to monitor connections to/from a real application on my machine.

Is this data just sitting there in the Linux TCP stack?


Solution 1:

For a general sense of the scale of your problem netstat -s will track your total number of retransmissions.

# netstat -s | grep retransmitted
     368644 segments retransmitted

You can aso grep for segments to get a more detailed view:

# netstat -s | grep segments
         149840 segments received
         150373 segments sent out
         161 segments retransmitted
         13 bad segments received

For a deeper dive, you'll probably want to fire up Wireshark.

In Wireshark set your filter to tcp.analysis.retransmission to see retransmissions by flow.

That's the best option I can come up with.

Other dead ends explored:

  • netfilter/conntrack tools don't seem to keep retransmits
  • stracing netstat -s showed that it is just printing /proc/net/netstat
  • column 9 in /proc/net/tcp looked promising, but it unfortunately appears to be unused.

Solution 2:

These stats are in /proc/net/netstat and collectl will monitor them for you either interactively or written to disk for later playback:

[root@poker ~]# collectl -st
waiting for 1 second sample...
#<------------TCP------------->
#PureAcks HPAcks   Loss FTrans
        3      0      0      0
        1      0      0      0

Of course, if you'd like to see then side-by-side with network traffic, just include n with -s:

[root@poker ~]# collectl -stn
waiting for 1 second sample...
#<----------Network----------><------------TCP------------->
#  KBIn  PktIn  KBOut  PktOut PureAcks HPAcks   Loss FTrans
      0      1      0       1        1      0      0      0
      0      1      0       1        1      0      0      0

Solution 3:

You can use the ss tool to get detailed TCP statistics:

$ /sbin/ss -ti

Under Debian, use apt-get install iproute to get the binary.

Solution 4:

It looks like some guys at the University of North Carolina (UNC) built a utility to investigate exactly this:

Methodology

TCP is a classic example of a legacy protocol that gets subject to modifications. Unfortunately, evaluation of something as fundamental as TCP's loss detection/recovery mechanism is not comprehensive. Our aim is to perform a complete realistic evaluation of TCP losses and its impact on TCP performance.

I rely on passive analysis of real-world TCP connections to achieve the required level of detail and realism in my analysis.

http://www.cs.unc.edu/~jasleen/Research-passivetcp.htm#Tool

Tool

The purpose of the tool is to provide more complete and accurate results for identifying and characterizing out-of-sequence segments than those provided by prior tools such as tcpanaly, tcpflows, LEAST, and Mystery. Our methodology classifies each segment that appears out-of-sequence (OOS) in a packet trace into one of the following categories: network reordering or TCP retransmission triggered by one of timeout, duplicate ACKs, partial ACKs, selective ACKs, or implicit recovery. Further, each retransmission is also assessed for whether it was needed or not.

I won't say it is production quality. Previously I've built quick perl scripts to store ip/port/ack tuples in memory and then report on duplicated data from scanning pcap output, this looks like it provides more thorough analysis.

Solution 5:

You may want to look at the dropwatch utility.