Reset Search



How to identify microburst congestion with Wireshark

« Go Back


TitleHow to identify microburst congestion with Wireshark
Other than show port congestion there is no real show output we could use to proof microburst. If we can make a capture and show it in wireshark you can show microburst if in an IO graph. You set the Tick Interval to 0.001 seconds and the Y Axis unit to bits/Tick. If the value exceeds the bandwidth (and recalculate the Mbits to bits per 0.001 second!) you will see it on this graph.

  • EXOS
Identify an interface that has incremental output drops. For example, you notice output drops on a 1G link while the average utilization of the link is only 150Mb.
Configure an egress mirror on the switch in order to capture transmitted (TX) traffic. In order to capture this traffic, connect a PC that runs Wireshark and capture packets at the mirror destination port.

create mirror <MIRROR_NAME>
configure mirror <MIRROR_NAME> to port <PORT>
configure mirror <MIRROR_NAME> add port <PORT> egress
enable mirror <MIRROR_NAME>

Open the captured file in Wireshark and plot an IO graph like this one.

User-added image
At the default scale, it appears that there is no bursty traffic. However, one second is a very large interval when you consider the rate at which buffering and packet switching happens. In a period of one second, a 1 Gb/s link can accommodate 1000 Mb of traffic across the interface in a neatly-shaped profile with a minimum need to buffer any packet.

User-added image
However, if a major portion of this traffic attempts to leave the interface in a fraction of a second, the switch needs to extensively buffer packets and drop them when the buffers are full. If you make the scales more granular, you see a more accurate picture of the actual traffic profile. Change the Y-axis to bits/tick because interfaces show output rates in bits/sec.
Link speed is 1 Gb/s
               = 1,000,000,000 bits/s
               = 1,000,000 bits/0.001 s

Recalculate the scales on the X and Y-axes. Change the tick interval to X Axis=0.001 sec and the scale to Y-axis= (bits/tick).

User-added image

User-added image

Scroll through the graph in order to identify bursts. In this example, you can see that there is a burst of traffic that exceeded 1,000,000 bits on a 0.001 second scale. This confirms that traffic is bursty at the sub second level and is expected to get dropped by the switch when the buffers are full in order to accommodate these bursts.

Click on the traffic spike on the graph in order to view that packet in the Wireshark capture. The capture analysis is a useful way to discover what traffic constitutes the burst.

User-added image

With the information that you captured above you will be able to develop a further Plan of Action.

Additional notes



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255