We’ve seen situations where one device had more than 49,000 duplicate acks. This was an IP printer that was out of paper. Consider the impact on your network of many such devices!
5. Thou shalt relate thy TCP resets to the cause: A RESET packet is sent by TCP to abort a
connection. The fact that you have resets may or may not indicate a network problem. For example, a RESET segment is set to terminate a connection. A user may have gone away and left the connection idle. The application may have a keep-alive process that terminates the connection after a period of idle time. In this instance, the RESET to close the connection would be proper and indicate no problem. On the other hand, if an application is refusing connections because it’s out of resources, then you may see many RESETs.
In monitoring your TCP network, you may find some counters called Established Resets and Resets Out. Established Resets is the number of connections that were reset and Resets Out is the number of segments sent with the RESET flag on. Investigating the cause of resets can help you find many types of problems.
6. Thou shalt not fail to watch your TCP attempt fails: You may find in monitoring your TCP network
some counters called Connection Attempts Failed, Connection Attempts Dropped, or Connection Attempts Discarded. These counters may appear in the output of the Netstat STATS command or you may see them while interrogating the Simple Network Management Protocol (SNMP) Management Information Base (MIB).
These counters mean a remote host IP address has tried to connect to an application on the mainframe and the connection failed. It could be that the application the remote users want to get to is inactive or doesn’t exist. One cause of degradation on TCP networks is unnecessary traffic. Sometimes PCs or other types of hardware on the network do “broadcast” type queries to many devices on the LAN and even to the mainframe to ask for applications that are PC-based.
Figure 3 shows SYN packets sent to start a connection to a port 445 that didn’t even exist on the mainframe. A SYN packet will be responded to by a SYN-ACK packet if the application open is successful. In this case, an RST packet responded to each SYN packet. The RST packet indicates the session couldn’t be established. Each time this occurs, the Connection Attempts Dropped or Connection Attempts Discarded counters will increment.
In Figures 3 and 4, you see SYN packet 75 responded to by RST packet 76, SYN packet 148 responded to by RST packet 149, and SYN packet 225 responded to by RST packet 226. If this is a mistake and happens thousands of times a day because some PCs aren’t properly configured, then consider how much unnecessary CPU time the TCP stack may be taking for needless error recovery.
Notice TCP port 445, which is used for SMB (Server Message Block) protocol file sharing in Windows NT/2000/XP. In Windows NT, it ran on top of NetBIOS over TCP/IP, which used ports 137 to 138 (UDP) and 139 (TCP). In Windows 2000/XP/2003, Microsoft added the ability to run SMB directly over TCP/IP, without the extra layer of NetBIOS over TCP by using TCP port 445. This port is often misused by hackers!