First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Malformed Packets During Livestream

Hello All,

We are a medium size ministry and we livestream our services using Livestream Studio Software. Recently we've experienced errors from Livestream Studio stating connection too slow for quality and at points the stream will actually drop completely. Doing some simple network diags I've determined there were no issues with our LAN being saturated (no data loss from hosts to GWY). I've also done speed tests and pinging the ISP routers with no significant data loss. We've also had the ISP out here to do line tests which have all passed. Upon running packet captures and using the _ws.expert.severity == error filter I see alot of Malformed packets and TCP out of Order.

I'm not a Network Engineer, so im doing my best to explain this. On the capture i believe its displaying 14146 packets with that filter out of 3962277 packets captured. I see alot of Malformed HTTP packets from LAN HOST 1 to LAN HOST 2. Tonight I noticed alot of TCP Out-Of-Order packets from our Livestream Box to the livestream site. The TTL's are all 128 as well.

I've saved the capture. Please let me know anything else I can do to troubleshoot.

We've tested hardware removing switches and using Guest network Router with the same malformed packet results.

**Capture File Link https://www.dropbox.com/s/ojjx5mis1j8...

Thanks and Regards, Andrew FPMI IT Director

FPMI-IT's avatar
1
FPMI-IT
asked 2019-12-07 02:34:08 +0000, updated 2019-12-11 03:21:06 +0000
edit flag offensive 0 remove flag close merge delete

Comments

If possible can you post the capture file on a public share?

Spooky's avatar Spooky (2019-12-07 02:37:30 +0000) edit
more
  • delete

I'm about to upload it to my dropbox. Anyway i could get your email so i can send you the link? Thanks so much for responding so fast!! - Andrew

FPMI-IT's avatar FPMI-IT (2019-12-10 23:27:16 +0000) edit
more
  • delete

It's better to edit your question with a link to Dropbox so more people can try to help you.

Spooky's avatar Spooky (2019-12-11 01:25:38 +0000) edit
more
  • delete

I've added the link now.

FPMI-IT's avatar FPMI-IT (2019-12-11 03:22:39 +0000) edit
more
  • delete

This is a huge file. I see about 50/50 split between UDP and TCP traffic by number of packets. Can you narrow down what traffic is of interest? What are the IP addresses of "LAN HOST 1" and "LAN HOST 2"?

Spooky's avatar Spooky (2019-12-11 03:58:35 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Hi Andrew,

I opened the PCAP and took a look at TCP conversations and sorted by the number of packets.

You mentioned the ISP link being checked so I looked for a public IP with lots of traffic to or from 192.168.0.213.

I saw that host 192.168.0.213 is sending a lot of traffic to host 151.101.2.29 (a public IP) so I focused on this stream.

Use this filter to see the stream tcp.stream eq 13

I don't see a lot of malformed HTTP: 90 overall and none for this stream.

"Expert Information" is a good place to look for issues but most items listed in red or yellow need to be investigated to make sure they are real issues.

Now I do see an odd behaviour on host 192.168.0.213 where it sends _two copies_ of most (all?) segments.

This is why there are so many TCP Retransmission, TCP Dup ACK and TCP Out-of-Order

Take the first few packets:

Host 192.168.0.213 sends a segment to host 151.101.2.29 (frame 1855) and then the same segment (frame 1856) again after 0,01 ms. (That's 0.01 milliseconds!)

Host 192.168.0.213 is even sending duplicate ACK to host 151.101.2.29. See frame 1988 and then 1990 seen only 0.006 ms after.

Now this could be a real issue with the host or it could be an issue with your capture.

There is a possibility duplicate packets are caused by defective hardware.

Not sure how you took this capture but I would try to move the capture point "elsewhere" to see if the issue persists.

If it does then I would try to run the Livestream on another host.

Hope this helps.

Cheers,

Spooky

Spooky's avatar
191
Spooky
answered 2019-12-19 03:05:04 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer