Using TCP Error Control for Troubleshooting

We mentioned in the last post about using some of the error control features of TCP to help solve problems with a slow network.   However although it’s true that these features do provide a very useful resource for troubleshooting, for those with less experience it can get a little confusing.  So lets try and put some of these features into some sort of context to start your troubleshooting journey.

Retransmission Packets

First consider why  retransmissions occur?  They happen when a client detects that the data it is sending is not being received properly.   Remember to consider where you are capturing your data from when considering these.  If you were capturing traffic at the problem end, say the server which wasn’t receiving the data, then you may not actually see these retransmission packets until you looked at the client side traffic.  This is important why when try to analyse an entire network that you start by finding a mirrored port on a central switch or hub initially, which will allow you access to the majority of traffic.   Sometimes you will first suspect the existence of these packets and you may need to go and look for them perhaps at the client end.

Duplicate ACK Packets

In some senses these are clues that the opposite side of the connection is at fault.  These duplicate ACKS are normally detected from the server side of  a connection because it has detected that a packet it was expecting from a client has been lost in transit.  You should be able to see them from both side of the connection if your network capture covers all the data.   These packets are created in one specific circumstance – when packets of data are being received in the wrong sequence.  Network with high latency and intermittent problems will often cause these packets to appear.   Consider the issue, data is being sent and received but sometimes individual packets are being lost or delayed creating these out of sequence acknowledgements.

Sliding Window Related

Packets that contain changes to the buffer size and keep alive packets related to the TCP sliding Windows mechanism are usually related with the servers inability to receive and process data in a timely manner.  Normally you wouldn’t see these packets on a fast, functioning network.   Very often they are not actually related to the network at all though but some issue with the servers ability to receive and process data quickly enough,  Often you will see these in hardware failures or perhaps someone overloading the server.  An example is when people use their RAS server to access region locked content which is typically video or multimedia.

A server can be brought to it’s knees very quickly if it is expected to process data it is not designed for – read this article on people using a VPN to bypass the Netflix blocks.    A server will start sending these packets in order to reduce the amount of data it is being sent, so when you see these packets first look at the server for investigation.  A look at the hardware error logs or the current connections will usually reveal some insight to the reason behind these packets being spotted directly on the wire.

Further Reading

About Residential VPN Services – http://www.theninjaproxy.org/technology/is-a-residential-vpn-service-essential-now/

Solving a Slow Network Problem

There’s nothing more frustrating than having to waste loads of your working day because of a slow network.   It’s one of the most frustrating IT related problems because it’s pretty all encompassing – from logging in, to sending emails and downloading document those extra seconds turn into minutes and hours over the weeks.    If you think that these problems aren’t important remember underlying issues that cause these problems rarely improve, they usually get much worse.  I have seen networks where it literally takes 30 minutes to login to a machine, where people are forced to go and do something else simply because their network takes so long to authenticate their username and password.

Slow Network ?

The problem though is that troubleshooting these issues can be extremely difficult, after all if it was simple someone would have solved it already!   One of the common causes of slow networks is packet loss which can be caused by a variety of reasons.   Investigating this will require access to any mirror or span ports on the network (which will allow access to all traffic) and a laptop or device with a simple packet analyser.  This doesn’t have to be anything complicated or expensive in fact many of the top professionals in this field simply use a free program called Wireshark (previously known as Ethereal).

Then it’s time to start capturing that traffic and looking for the source of the problems.  One of the first areas you should investigate is to start looking for TCP error and flow control packets on the network.    TCP has quite an extensive error control system built into the protocol and any slow network is likely going to see many of these.  For example on slow networks with possible hardware problems you will see lots of retransmission packets where data is resent because it is not being delivered.  You’ll also come across duplicate ACKs and the sliding window mechanism of TCP which starts limiting the amount of data sent in packets because of non delivery.  Try and focus on these error messages as they will lead you to the possible source of the problems.

Keep an open mind because sometimes the cause may not be immediately obvious and/or related. I once saw a very slow network which actually appeared to cure itself! What was happening was people were using the remote access server to stream videos from Netflix using their corporate laptops and flooding the network with traffic.  Suddenly it all got better and we discovered it was due to the fact that Netflix started blocking VPNs and commercial address like this article describes, which solved our issue.

Remember  there’s two sides to any connection the client which is transmitting and the destination device which is receiving.   Try and keep this in mind as you follow the flow of traffic, remember it’s two sided communication and both devices at each end of the connection will transmit and receive as pat of the process.  Using the error control messages from TCP/IP won’t always help you identify the causes of a slow network but they are useful in identifying problems with faulty hardware or applications existing on the network.

Further Reading:

Return of US DNS Netflix – http://www.onlineanonymity.org/proxies/the-return-of-us-dns-netflix/

Commercial Versus Residential IP Address

You’d think there wasn’t much difference in that little number that is assigned to your internet connection but unfortunately that’s not the case.  Many of us already know the importance of our IP address and how it effects virtually everything we do online.

The reality is that your IP address does affect your online experience although to what extent largely depends on your physical location.  For example Chinese surfers already realise that their internet connections are heavily filtered and censored and many have found methods around the ‘great firewall of China’.   For those who live in Western democracies the restrictions are less obvious but they do exist.

Residential IP Address

A very simple example, ever since the BBC started broadcasting most of their channels online live, I’ve been in the habit of watching the BBC News on my laptop.   It means I’m not tied to a TV set and potentially I can watch it from wherever I am.  Except this isn’t the case because if you try and watch any of the BBC’s channels online from outside the UK it won’t work.   It detects your Non-UK IP address and redirects you to an International version of the site which doesn’t allow access to any of the live programmes or BBC iPlayer.

The Essential Residential IP Address

The solution is relatively straight forward though simply use a VPN or proxy to hide  your real location. All you need to do is to redirect through a server based in the UK and you’ll effectively have a British IP address.   So that’s it – it was so simple, but unfortunately the game has now changed again.

You see not only does your IP address have a ‘nationality’ assigned to it, there’s a further classification.   That is –  residential or commercial,  every IP address including those assigned to VPN services is grouped into one of those two categories.  Now the residential classification is assigned to home addresses which you usually get from your ISP whilst web sites and services usually have commercial classification.   Until recently this didn’t matter yet now it’s become very important whether you’re using a residential VPN like this for example.

Because all these global media services don’t like people using VPNs and stuff to bypass all their blocks they’ve decided to take another step.  Instead of just restricting based on location, companies like Netflix are now blocking all commercial IP addresses as well.  This means not only will you not be allowed access from something like a corporate network, but also if you use a VPN or Smart DNS Service you’ll find them blocked too.   Netflix have decided that it’s almost impossible to individually identify specific VPN addresses and blacklist them (which is true) so have just blocked the whole classification of commercial addresses.

There’s no doubt that this new tactic has been extremely effective, hundreds of thousands of Netflix viewers were locked out instantly if they were connected through a VPN.  This is because nearly every VPN service ran from a datacentre which contained servers all assigned commercial IP addresses. This means that they are all classed as commercial connections and now don’t work at all with Netflix.   It’s too early to see whether other companies will follow suit but consider the success it wouldn’t be a surprise.   The market for private residential proxies is certainly growing too with many websites locking the door on access from commercial addresses, this is likely to continue.

Fortunately some of the services have been fighting back and if you know where to look there is an increasing number of residential VPN services available which run on servers assigned residential classified IP addresses. The basic VPNs can offer some addresses however if you need any number then there are only a couple of places where you can buy residential IPs from.

One of the oldest and most respected suppliers (indeed many of the VPN services buy their residential ip proxy servers from this company as well) is called Storm Proxies.

Click to Visit Storm Proxies