TCP section
| XML | Console Display | Description |
|---|---|---|
<TcpTotalPacketsRcvd> |
Total packets rcvd |
The count of TCP packets received by the TCP reassembler. |
<TcpTotalPacketsRcvdPerSec> |
Total packets rcvd per second |
Rate of TCP packets received per second |
<TcpTotalConnections> |
Total connections |
The count of new TCP connections that are formed by the TCP reassembler. |
<TcpTotalConnectionsPerSec> |
Total connections per second |
Rate of new TCP connections that are formed per second |
<TcpTotalClosedConnections> |
Total closed connections |
The count of TCP connections closed by the TCP reassembler |
<TcpTotalRstConnections> |
Total reset connections |
The count of TCP connections that are reset. A high number of reset connections can indicate a connection issue. |
<TcpSyn_waitConnections> |
SYN/WAIT connections |
Current® count of TCP connections that only received the first SYN handshake packet. This number must track with the "Current® connections" value, under 50 percent, depending on network traffic activity. If the value consistently exceeds it by a large margin, there can be a problem with the span port traffic. |
<TcpSyn_waitConnectionsMax> |
SYN/WAIT connections max |
The high water mark for above. |
<TcpTotalSyn_waitConnectionsAged> |
Total SYN/WAIT connections aged |
Shows how many SYN/WAIT connections are deleted due to aging. |
<TcpTotalSyn_waitConnectionsDestroyed> |
Total SYN/WAIT connections destroyed |
Count of SYN/WAIT connections destroyed due to the max limit that is being reached. This occurs to allow room for new connections to be created. If this count rises rapidly within a short period (5 minutes), it can indicate that the default max limits are set too low for the volume of network traffic captured. Adjust the max limit to a higher value to minimize loss. A rapidly rising count can also indicate a problem with the network infrastructure not providing relatively complete network traffic. |
<TcpTotalOutsyncSyn_waitConnections> |
Total out-of-sync SYN/WAIT connections |
Total count of connections where the SYN handshake packets, SYN1 and SYN2, are reversed. Received the SYN packet from server to client before the client to server SYN packet. |
<TcpCurrentConnections> |
Current connections |
Current® count of completed SYN handshake connections (connections established). |
<TcpCurrentConnectionsMax> |
Current connections max |
The high water mark for above. |
<TcpTotalCurrentConnectionsAged> |
Total Current connections aged |
Shows how many current connections are deleted because of aging. |
<TcpTotalCurrentConnectionsDestroyed> |
Total Current connections destroyed |
Count of connections destroyed because of the max limit being reached. This occurs to allow room for new connections to be created. If this count rises rapidly within a short time (5 minutes), it can indicate that the default max limits are set too low for the volume of network traffic captured. Adjust the max limit to a higher value to minimize loss. A rapidly rising count can also indicate a problem with the network infrastructure not providing relatively complete network traffic. |
<TcpTotalConnectionsReaped> |
Total Connections reaped |
Connections per second that cannot be decrypted because of a missing key |
<TcpTime_waitConnections> |
TIME_WAIT connections |
Current® count of connections that is in a closed/wait state but not closed, received the FIN packets. |
<TcpTime_waitConnectionsMax> |
TIME_WAIT connections max |
The high water mark for above. |
<TcpTotalOooConnectionsDeleted> |
Total out-of-order connections deleted |
Indicates how many out-of-order connection deletions are occurred. The count value of this statistic automatically resets when it exceeds 5,000,000. |
<TcpTotalOooConnections> |
Total out-of-order connections |
Indicates how many total out of order packet connections are occurring. If this number is high or approaching the "Total connections" number, then the network infrastructure that is providing traffic to the Capture ports cannot be clean, and some hits cannot properly reassemble because of excessive packet reordering required. This can be CPU-intensive for the Capture process. |
<TcpTotalRolloverConnections> |
Total rollover connections |
Total connections where the TCP sequence number is rolled over to 0 |
<TcpTotalMissingPktConnections> |
Total missing packet connections |
Total connections where a missing packet condition are detected |
<TcpCurrentStreamingConnections> |
Current streaming connections |
Not implemented or used |
<TcpTotalStreamingConnections> |
Total streaming connections |
Not implemented or used |
<TcpTotalAckedButUnseenPackets> |
Total ACKed but unseen packets |
A count of TCP ACK packets that were received but did not have a corresponding TCP data packet that it ACKed for the TCP connection. |
<TcpTotalAckRollbacks> |
Total ACK rollbacks |
A count of ACK packet sequence numbers that are less than the expected ACK packet sequence number in the TCP reassembler. |
<TcpAlienPacketsRcvd> |
Alien packets rcvd |
A count of any TCP packet where a corresponding
TCP connection is not found in the TCP reassembler's table of current
known TCP connections. The alien packet count must be measured against
the Total packets captured value. Expect to see this
count below 10 percent. |
<TcpTotalChecksumErrors> |
Total checksum errors |
Count of bad TCP packet checksum errors. If you
are getting error counts for this value, then your network infrastructure
is spanning traffic to the DNCA host machine with bad packet
checksum values. Note: If you are encountering a high
number of checksum errors, the problem can be caused by a number of
factors. It includs checksum offloading that are performed at the
NIC. To verify, you must contact your network IT department to identify
if this feature is enabled and, if so, to disable it and then recheck
the value of this statistic. |
<TcpErrors> |
Errors |
Not implemented or used. |
<TcpErrorsperSec> |
TCP Errors per Second |
Not implemented or used. |
<TcpTotalDuplicatePackets> |
Total back-to-back duplicate packets |
Indicates how many back-to-back duplicate packets
are occurring in the filtered capture traffic. A high number indicates
that the network switch span ports are not properly configured and
are providing duplicate traffic. In this case, the stat approaches
one half the value that is specified in the Total packets
rcvd value. While the Capture processes can handle duplicate
traffic packets, it is an unnecessary usage that can impact performance
when the system is already close to its maximum level. This also is
an issue where available bandwidth for the Capture NICs is needlessly
wasted. |