Network Traffic

I put a sniffer on my network just to see what things look like. I noticed that I have a lot of traffic going on between a client pc and my file server. I'm getting a lot of "TCP DUP ACK" messages going from the client to the server. Can anyone suggest what might be causing this? Could it be a bad driver on the client side, or could the NIC itself be going bad?

Thanks
Eric

 

Hi Eric and welcome to the forum.

All the dup ack packets are certainly not a good thing and could be from either source you mention. They could also be from a number of other causes such as an infected PC trying for a DOS attack. If it's only the one PC then probably not an issue with the server or other piece of your network hardware.

First thing I'd try is replacing the NIC in the problem PC. If that fails, a packet capture and posting the results on an available web site would help. Get a few dozen of those critters and put them where they can be examined in some detail then post the link.

 

I will betcha that you are using ethereal to read those traces.

What you are seeing is almost certainly perfectly normal behavior, its called TCP keep alive. All windows platforms will do this a lot. On an open socket, they will send a 'duplicate' ack to keep the socket open, but not send any data. Some protocol analyzers misinterpet that as a dupe ack.

In order to find out if the data is showing you a true duplicate or a keep alive, you need to filter out the traffic to the IP and SRC/DEST ports so you can examine the data stream, with time offsets. If you watch the time, ill bet you see data data data dupeack dupeack data data data data data dupeack dupeack.

Another way to verify it would be to take a 'client side' and a matching 'server side' trace, line up the packets, and look for a delta, an ACK not making it on one side or the other. Tedious work.

You also may want to look at using the microsoft Network Monitor, which has an 'expert' for looking for duplicate packets.

If you find that you are getting packet loss/ true dupelicate packets, dropped acks etc, i'd agree with newts recommended course of action

 

On an open socket, they will send a 'duplicate' ack to keep the socket open, but not send any data. Some protocol analyzers misinterpet that as a dupe ack.

Thanks Joe. Didn't realize they would show up that way.

I do wonder though if only a single machine is spawning lots of the things ....

 

Thanks for the replies. I have looked at some other segments of our network and am seeing the same thing going on with the Dup Acks. You are correct I am using ethereal since it is free. Monitoring the network traffic is new to me, so I'm seeing a lot of this for the first time.

Do either of you know of any good documentation for network monitoring as far as what to kind of look out for? I know that every network is going to look different and it will just take sometime, but since I'm new to it I could use any help that I can get.

Thanks again for the replies.
Eric

 

Try http://netsecurity.about.com/cs/hackertools/a/aa121403.htm

 

Thanks for the link Newt.