How passively monitor for tcp packet loss? (Linux)
How can I passively monitor the packet loss on TCP connections to/from my machine?
Basically, I'd like a tool that sits in the background and watches TCP ack/nak/re-transmits to generate a report on which peer IP addresses "seem" to be experiencing heavy loss.
Most questions like this that I find of SF suggest using tools like iperf. But, I need to monitor connections to/from a real application on my machine.
Is this data just sitting there in the Linux TCP stack?
Solution 1:
For a general sense of the scale of your problem netstat -s will track your total number of retransmissions.
# netstat -s | grep retransmitted
368644 segments retransmitted
You can aso grep for segments to get a more detailed view:
# netstat -s | grep segments
149840 segments received
150373 segments sent out
161 segments retransmitted
13 bad segments received
For a deeper dive, you'll probably want to fire up Wireshark.
In Wireshark set your filter to tcp.analysis.retransmission to see retransmissions by flow.
That's the best option I can come up with.
Other dead ends explored:
- netfilter/conntrack tools don't seem to keep retransmits
- stracing
netstat -sshowed that it is just printing/proc/net/netstat - column 9 in /proc/net/tcp looked promising, but it unfortunately appears to be unused.
Solution 2:
These stats are in /proc/net/netstat and collectl will monitor them for you either interactively or written to disk for later playback:
[root@poker ~]# collectl -st
waiting for 1 second sample...
#<------------TCP------------->
#PureAcks HPAcks Loss FTrans
3 0 0 0
1 0 0 0
Of course, if you'd like to see then side-by-side with network traffic, just include n with -s:
[root@poker ~]# collectl -stn
waiting for 1 second sample...
#<----------Network----------><------------TCP------------->
# KBIn PktIn KBOut PktOut PureAcks HPAcks Loss FTrans
0 1 0 1 1 0 0 0
0 1 0 1 1 0 0 0
Solution 3:
You can use the ss tool to get detailed TCP statistics:
$ /sbin/ss -ti
Under Debian, use apt-get install iproute to get the binary.
Solution 4:
It looks like some guys at the University of North Carolina (UNC) built a utility to investigate exactly this:
Methodology
TCP is a classic example of a legacy protocol that gets subject to modifications. Unfortunately, evaluation of something as fundamental as TCP's loss detection/recovery mechanism is not comprehensive. Our aim is to perform a complete realistic evaluation of TCP losses and its impact on TCP performance.
I rely on passive analysis of real-world TCP connections to achieve the required level of detail and realism in my analysis.
http://www.cs.unc.edu/~jasleen/Research-passivetcp.htm#Tool
Tool
The purpose of the tool is to provide more complete and accurate results for identifying and characterizing out-of-sequence segments than those provided by prior tools such as tcpanaly, tcpflows, LEAST, and Mystery. Our methodology classifies each segment that appears out-of-sequence (OOS) in a packet trace into one of the following categories: network reordering or TCP retransmission triggered by one of timeout, duplicate ACKs, partial ACKs, selective ACKs, or implicit recovery. Further, each retransmission is also assessed for whether it was needed or not.
I won't say it is production quality. Previously I've built quick perl scripts to store ip/port/ack tuples in memory and then report on duplicated data from scanning pcap output, this looks like it provides more thorough analysis.
Solution 5:
You may want to look at the dropwatch utility.