Thanks for the ideas John, I'm definitely not a fan of NetMon either, so I'll look into Ethereal and TCPDump. I've used the IIS lockdown tool on another web server, with mixed results. At this point though, it may be worth a shot. The server is behind a Cisco PIX. No error or dropped packets show from the outside into the Cisco nor to or from the Cisco to the server. Doing extended pings, pathpings, and Visual Routes to the web server, router, and second server behind firewall, only shows web server with packet loss. NICS and Ethernet cables test OK. Switch and firewall ports look OK. Testing now to see if correlation between packet loss and high traffic volume. Packet loss is definitely sporadic, we can go 3 or 4 with now loss, then the next 3 or 4 hours we lose 30%, and yet some days we've gone all day with no loss, but no set patterns.
Thanks again for the ideas, feel free to send more. For now I'll try the previously mentioned. Doug -----Original Message----- From: King, John [mailto:[EMAIL PROTECTED]] Sent: Friday, January 25, 2002 3:08 PM To: NT 2000 Discussions Subject: RE: Network Monitor - Lost Frames -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hmmm... I am not a big fan of netmon, but heh what can I say.. I have u tried something else. Just to verify the data 'netmon' reports is correct.. Maybe the TCPDump port for windows, or even Ethereal, if really want to see what is going on with packets... These are *nix applications that have been ported to windows.. This is a good place to start.. http://netgroup-serv.polito.it/winpcap/ Is this machine behind a router/firewall..? Direct connection..? How about IIS have you secured it properly..? I run an IIS5 both outside our firewall, but behind our T1 service providers router. I gets slammed with bogus request for stupid shit like %./cmd.exe, the kind of things that I installed all those damn hotfixes to prevent. The requests can still tie up an IIS server. MS has a tool, IISlockdown, which includes URLScan, which checks incoming requests and drops the stupid shit, before even passing em to IIS.. How bout services, are you using the IP security opionts to filter unneeded ports and services..? I think that netbios is needed for way too much shit and is a huge security risk. Tickle netbios, find machine name, now sys profiler has IUSR_machinename account.. Grrr IIS... Anyway maybe some more info would help here.. Good luck, ~John - -----Original Message----- From: Doug Eubank [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 24, 2002 7:28 PM To: NT 2000 Discussions Subject: Network Monitor - Lost Frames Hi all, I have noticed severe packet loss to my web server over the last week or so. After I deducted that it was an issue with the server itself and not its T1 connection, I ran NetMon to see if I found anything unusual. I did, and I was hoping someone could tell me what it meant. The capture shows the frame buffer filling up very quickly, and then we start to lose a great number of frames. It doesn't show any frames being dropped, just a large amount lost once the buffer is exceeded. Does anyone know if this is what's causing my packet loss, and what can be done to resolve the issue? We're running W2K with IIS5.0 on a Compaq ML530. Any help is appreciated. Doug - ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPFHJZrlMSqGNvpxoEQJmtwCfckxknoxMO24eI1hss6bG9rzIwP8AoNyK wJoxwgmsbza3QbBdurvxklKB =YOub -----END PGP SIGNATURE----- ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED] ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
