5

TCP retransmission rate on a host are often a good indicator of network problems. How do I find out the source and destination IPs for the packets that are being retransmitted?

For context, on hosts that have sar installed, one can see the re-transmission rates like so:

sar -n ETCP

10:11:02 AM  atmptf/s  estres/s retrans/s isegerr/s   orsts/s
10:12:01 AM      0.07      1.95      0.08      0.00      1.18
10:13:01 AM      0.07      1.30      0.02      0.00      0.83
10:14:01 AM      0.07      1.40      0.02      0.00      0.85
Aleksandr Levchuk
  • 2,495
  • 1
    I'll take a script that does f=/sys/kernel/debug/tracing/events/skb/tcp_retransmit_skb/enable; echo 1 > $f; sleep 10; echo 0 > $f and then parses /sys/kernel/debug/tracing/trace – Aleksandr Levchuk Aug 03 '13 at 00:10
  • http://www.brendangregg.com/blog/2014-09-06/linux-ftrace-tcp-retransmit-tracing.html – ygrek Oct 15 '15 at 02:49

1 Answers1

6

To find the source and destination IP addresses you could do

tshark -Y "tcp.analysis.retransmission" -Tfields -e ip.src -e ip.dst

(or use -R in older versions of 'tshark') but this won't give you the "retransmission rate". I have to say that the "retransmission rate" on its own is not a good metric for network problems unless you know the reasons for the retransmissions. Wireshark can help a bit, but it takes some manual processing to find the root cause, usually.

Community
  • 1
bytesinflight
  • 251