pianoman1976 Author

Level 1

104 points

Define this network behavior

I initially discovered I was having a peering problem by performing a traceroute:

traceroute: Warning: www.google.com has multiple addresses; using 208.67.219.231
+traceroute to google.navigation.opendns.com (208.67.219.231), 64 hops max, 40 byte packets+
+1 192.168.1.1 (192.168.1.1) 0.959 ms 0.658 ms 0.653 ms+
+2 cpe-76-95-80-1.socal.res.rr.com (76.95.80.1) 12.597 ms 12.703 ms 8.229 ms+
+3 24.24.193.145 (24.24.193.145) 13.410 ms 12.509 ms 12.428 ms+
+4 ae5-chswca1-rtr2.socal.rr.com (66.75.145.28) 12.896 ms 14.031 ms 13.275 ms+
+5 ge-4-3-0.tustca1-rtr1.socal.rr.com (66.75.145.13) 15.249 ms 15.197 ms 14.844 ms+
+6 ae-5-0.cr0.lax30.tbone.rr.com (66.109.6.64) 19.756 ms 36.849 ms 68.577 ms+
+7 ae-1-0.pr0.lax10.tbone.rr.com (66.109.6.131) 17.338 ms 17.727 ms 18.051 ms+
+8 * * *+
+9 te8-1.ccr01.lax01.atlas.cogentco.com (154.54.0.213) 31.040 ms te4-2.ccr01.lax01.atlas.cogentco.com (154.54.6.229) 18.951 ms te7-4.ccr01.lax01.atlas.cogentco.com (154.54.3.9) 89.567 ms+
+10 te3-1.ccr02.sjc01.atlas.cogentco.com (154.54.5.185) 28.293 ms 29.853 ms te9-3.ccr02.sjc01.atlas.cogentco.com (154.54.25.186) 28.882 ms+
+11 te7-2.ccr02.sjc03.atlas.cogentco.com (66.28.4.78) 42.413 ms 29.635 ms 28.248 ms+
+12 te9-3.mpd01.sjc04.atlas.cogentco.com (154.54.0.170) 29.837 ms te4-3.mpd01.sjc04.atlas.cogentco.com (154.54.24.141) 29.947 ms te9-3.mpd01.sjc04.atlas.cogentco.com (154.54.0.170) 29.393 ms+
+13 38.104.140.46 (38.104.140.46) 30.549 ms 31.876 ms 32.086 ms+

The problem lays at hop 8 between

ae-1-0.pr0.lax10.tbone.rr.com

and

te8-1.ccr01.lax01.atlas.cogentco.com

This problem has been persistant for at least one week.

Later in my firewall log I discovered a large number of stealth mode connection attempts paired with nmblookup querys all pointing to IP 38.118.213.10.

Whois shows 38.118.213.10 as belonging to atlas.cogentco.com.

So I'm having peering problems with atlas.cogentco.com, and I am also being attacked by someone or something over there?

iMac 2.4 GHz Intel Core 2 Duo, 4 GB RAM, Mac OS X (10.5.7), Bootcamp 50 GB Windows 7

Posted on Jul 5, 2009 2:13 PM

27 replies

pianoman1976 Author

Level 1

104 points

Jul 7, 2009 2:01 AM in response to pianoman1976

I might be pushing it by asking you all to do this again, yet tonight I've actually got a problem with my connection and I would like to learn how to diagnose it. I've got terrible internet performance right now. My download speeds are testing okay, yet my upload speeds are practically non existent.

Here:

+XXXX:~ XXXX$ netstat -an+
+Active Internet connections (including servers)+
+Proto Recv-Q Send-Q Local Address Foreign Address (state)+
+tcp4 0 0 192.168.1.140.49682 209.123.109.176.80 LAST_ACK+
+tcp4 0 0 192.168.1.140.49681 209.123.109.175.80 LAST_ACK+
+tcp4 0 0 192.168.1.140.49669 209.123.109.176.80 LAST_ACK+
+tcp4 0 0 192.168.1.140.49668 209.123.109.176.80 LAST_ACK+
+tcp4 0 0 192.168.1.140.49667 209.123.109.176.80 LAST_ACK+
+tcp4 0 0 192.168.1.140.49666 209.123.109.176.80 LAST_ACK+
+tcp4 0 0 192.168.1.140.49665 209.123.109.175.80 LAST_ACK+
+tcp4 0 0 192.168.1.140.49645 209.123.109.175.80 LAST_ACK+
+tcp4 0 0 192.168.1.140.49634 209.123.109.176.80 LAST_ACK+
+tcp4 0 0 192.168.1.140.49633 209.123.109.176.80 LAST_ACK+
+tcp4 0 0 192.168.1.140.49632 209.123.109.176.80 LAST_ACK+
+tcp4 0 0 192.168.1.140.49631 209.123.109.176.80 LAST_ACK+
+tcp4 0 0 192.168.1.140.49630 209.123.109.175.80 LAST_ACK+
+tcp4 0 0 192.168.1.140.49629 209.123.109.175.80 LAST_ACK+
+tcp4 0 0 192.168.1.140.49624 209.123.109.176.80 LAST_ACK+
+tcp4 0 0 192.168.1.140.49623 209.123.109.176.80 LAST_ACK+
+tcp4 0 0 192.168.1.140.49622 209.123.109.176.80 LAST_ACK+
+tcp4 0 0 192.168.1.140.49621 209.123.109.176.80 LAST_ACK+
+tcp4 0 0 192.168.1.140.49620 209.123.109.175.80 LAST_ACK+
+tcp4 0 0 192.168.1.140.49619 64.17.248.2.9091 LAST_ACK+
+tcp4 0 0 192.168.1.140.49616 69.17.117.207.80 LAST_ACK+
+tcp4 0 0 192.168.1.140.49615 72.21.81.132.80 LAST_ACK+
+tcp4 0 0 192.168.1.140.49614 69.17.117.207.80 LAST_ACK+
+tcp4 0 0 192.168.1.140.49613 69.17.117.207.80 LAST_ACK+
+tcp4 0 0 192.168.1.140.49612 69.17.117.207.80 LAST_ACK+
+tcp4 0 0 192.168.1.140.49611 69.17.117.207.80 LAST_ACK+
+tcp4 0 0 127.0.0.1.8118 . LISTEN+
+tcp4 0 0 127.0.0.1.631 . LISTEN+
+tcp6 0 0 ::1.631 . LISTEN+
+udp4 0 0 192.168.1.140.123 .+
+udp6 0 0 fe80::21b:63ff:f.123 .+
+udp4 0 0 . .+
+udp4 0 0 *.62566 .+
+udp4 0 0 *.62116 .+
+udp4 0 0 *.55130 .+
+udp4 0 0 *.51734 .+
+udp4 0 0 *.55745 .+
+udp4 0 0 *.52275 .+
+udp6 0 0 ::1.123 .+
+udp4 0 0 127.0.0.1.123 .+
+udp6 0 0 fe80::1%lo0.123 .+
+udp6 0 0 *.123 .+
+udp4 0 0 *.123 .+
+udp6 0 0 *.5353 .+
+udp4 0 0 *.5353 .+
+udp4 0 0 . .+
+udp4 0 0 . .+
+icm6 0 0 . .+
+Active LOCAL (UNIX) domain sockets+
+Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr+
+72c7908 stream 0 0 0 72c76e8 0 0 /var/run/asl_input+
+72c76e8 stream 0 0 0 72c7908 0 0+
+6def550 stream 0 0 0 6def5d8 0 0+
+6def5d8 stream 0 0 0 6def550 0 0+
+72c75d8 stream 0 0 0 72c7550 0 0+
+72c7550 stream 0 0 0 72c75d8 0 0+
+72e8660 stream 0 0 0 72e86e8 0 0 /var/run/mDNSResponder+
+72e86e8 stream 0 0 0 72e8660 0 0+
+72e8b28 stream 0 0 0 72e8d48 0 0+
+72e8d48 stream 0 0 0 72e8b28 0 0+
+72e8a18 stream 0 0 0 72e8880 0 0+
+72e8880 stream 0 0 0 72e8a18 0 0+
+72e8bb0 stream 0 0 0 72e8990 0 0+
+72e8990 stream 0 0 0 72e8bb0 0 0+
+6def4c8 stream 0 0 797c3b0 0 0 0 /tmp/launch-13cXyc/:0+
+72c7a18 stream 0 0 797c4d0 0 0 0 /tmp/launch-I2RYDv/Listeners+
+72c7aa0 stream 0 0 797c5f0 0 0 0 /tmp/launch-xD2Ort/Render+
+72c7990 stream 0 0 797c710 0 0 0 /private/tmp/com.hp.launchport+
+6def3b8 stream 0 0 797c9e0 0 0 0 /tmp/launchd-98.MDzO8S/sock+
+72b0088 stream 0 0 0 0 0 0+
+72c7d48 stream 0 0 0 72c7198 0 0+
+72c7198 stream 0 0 0 72c7d48 0 0+
+72e8dd0 stream 0 0 0 72c72a8 0 0+
+72c72a8 stream 0 0 0 72e8dd0 0 0+
+72c7330 stream 0 0 750d290 0 0 0 /var/run/pppconfd+
+72c7220 stream 0 0 0 72c7ee0 0 0+
+72c7ee0 stream 0 0 0 72c7220 0 0+
+72c7000 stream 0 0 0 72c7cc0 0 0+
+72c7cc0 stream 0 0 0 72c7000 0 0+
+72c7440 stream 0 0 0 72b0660 0 0+
+72b0660 stream 0 0 0 72c7440 0 0+
+72c7770 stream 0 0 0 72c77f8 0 0+
+72c77f8 stream 0 0 0 72c7770 0 0+
+72c7bb0 stream 0 0 0 72c7c38 0 0+
+72c7c38 stream 0 0 0 72c7bb0 0 0+
+72c7dd0 stream 0 0 0 72c7e58 0 0+
+72c7e58 stream 0 0 0 72c7dd0 0 0+
+72b0330 stream 0 0 0 72b03b8 0 0+
+72b03b8 stream 0 0 0 72b0330 0 0+
+72b0550 stream 0 0 0 72b05d8 0 0+
+72b05d8 stream 0 0 0 72b0550 0 0+
+72b0aa0 stream 0 0 0 72b0b28 0 0+
+72b0b28 stream 0 0 0 72b0aa0 0 0+
+72b0ee0 stream 0 0 0 72b0f68 0 0+
+72b0f68 stream 0 0 0 72b0ee0 0 0+
+6def7f8 stream 0 0 0 6def770 0 0+
+6def770 stream 0 0 0 6def7f8 0 0+
+6def880 stream 0 0 0 6def990 0 0+
+6def990 stream 0 0 0 6def880 0 0+
+6defa18 stream 0 0 0 6defaa0 0 0+
+6defaa0 stream 0 0 0 6defa18 0 0+
+6defc38 stream 0 0 6eef9a0 0 0 0 /var/tmp/launchd/sock+
+6defcc0 stream 0 0 6eefac0 0 0 0 /private/var/run/cupsd+
+6defd48 stream 0 0 6eefbe0 0 0 0 /var/run/usbmuxd+
+6defe58 stream 0 0 6eefd00 0 0 0 /var/run/asl_input+
+6deff68 stream 0 0 6eefd90 0 0 0 /var/run/portmap.socket+
+6defee0 stream 0 0 6eefe20 0 0 0 /var/run/mDNSResponder+
+72b0990 dgram 0 0 0 6def440 6def440 0+
+6def440 dgram 0 0 0 72b0990 72b0990 0+
+6def088 dgram 0 0 0 6defdd0 0 72e8908+
+72e8330 dgram 0 0 0 72e83b8 72e83b8 0+
+72e83b8 dgram 0 0 0 72e8330 72e8330 0+
+72e8770 dgram 0 0 0 72e8c38 72e8c38 0+
+72e8c38 dgram 0 0 0 72e8770 72e8770 0+
+72e8908 dgram 0 0 0 6defdd0 0 6def2a8+
+6def2a8 dgram 0 0 0 6defdd0 0 72b0cc0+
+72b0cc0 dgram 0 0 0 6defdd0 0 72b07f8+
+72b07f8 dgram 0 0 0 6defdd0 0 72c7b28+
+6def330 dgram 0 0 0 72b0dd0 72b0dd0 0+
+72b0dd0 dgram 0 0 0 6def330 6def330 0+
+72c73b8 dgram 0 0 0 72b0000 72b0000 0+
+72b0000 dgram 0 0 0 72c73b8 72c73b8 0+
+72c7b28 dgram 0 0 0 6defdd0 0 72c7110+
+72e8e58 dgram 0 0 0 72c7880 72c7880 0+
+72c7880 dgram 0 0 0 72e8e58 72e8e58 0+
+72c7110 dgram 0 0 0 6defdd0 0 72b0220+
+72b0220 dgram 0 0 0 6defdd0 0 72c7660+
+72c7660 dgram 0 0 0 6defdd0 0 6def908+
+6def000 dgram 0 0 0 72b0770 72b0770 0+
+72b0770 dgram 0 0 0 6def000 6def000 0+
+6def908 dgram 0 0 0 6defdd0 0 0+
+6defdd0 dgram 0 0 6eefc70 0 6def088 0 /var/run/syslog+

+traceroute to google.com (74.125.67.100), 64 hops max, 40 byte packets+
+1 192.168.1.1 (192.168.1.1) 1.214 ms 0.645 ms 0.644 ms+
+2 cpe-XXXX.socal.res.rr.com (XXXX) 12.398 ms 12.340 ms 13.567 ms+
+3 24.24.193.145 (24.24.193.145) 12.081 ms 13.484 ms 13.352 ms+
+4 ae5-chswca1-rtr2.socal.rr.com (66.75.145.28) 12.910 ms 12.663 ms 12.516 ms+
+5 ge-4-3-0.tustca1-rtr1.socal.rr.com (66.75.145.13) 15.811 ms 16.032 ms 15.716 ms+
+6 ae-5-0.cr0.lax30.tbone.rr.com (66.109.6.64) 17.547 ms 21.262 ms 18.942 ms+
+7 ae-1-0.pr0.lax10.tbone.rr.com (66.109.6.131) 17.613 ms 18.363 ms 16.087 ms+
+8 * 72.14.198.73 (72.14.198.73) 17.566 ms 17.487 ms+
+9 216.239.46.180 (216.239.46.180) 16.054 ms 19.095 ms 18.926 ms+
+10 216.239.43.125 (216.239.43.125) 129.653 ms 87.414 ms 89.570 ms+
+11 72.14.239.131 (72.14.239.131) 89.523 ms * 72.14.239.127 (72.14.239.127) 89.661 ms+
+12 209.85.255.194 (209.85.255.194) 99.546 ms 88.207 ms 89.630 ms+
+13 * * *+
+14 * * *+

Jul 7, 2009 2:04 AM in response to pianoman1976

Have you tried a new Ethernet cable?

pianoman1976 Author

Level 1

104 points

Jul 7, 2009 2:16 AM in response to DaddyPaycheck

DaddyPaycheck wrote:
Have you tried a new Ethernet cable?

Are you serious? What would changing out the cable do?

I recently had my house professionally wired for ethernet. Changing the cables would not be an easy task.

Jul 7, 2009 4:42 AM in response to pianoman1976

My apologies, I thought that you were trying to troubleshoot a problem. Often it is the simplest thing that causes the greatest concern.

Besides, I didn't mean rewire your house as opposed to an Ethernet jumper from the Mac in question connected directly to the hub or switch in question.

Have you had odd behavior since the rewire or is this newer than that?

pianoman1976 Author

Level 1

104 points

Jul 7, 2009 11:32 AM in response to DaddyPaycheck

My apologies, I thought that you were trying to troubleshoot a problem. Often it is the simplest thing that causes the greatest concern.

I am trying to troubleshoot a problem. I was not being flippant in my response to your advise. If it actually might help me to isolate the issue, then it's worth it for me to run a temporary cable to check and see.

I didn't get the logic until now. Doh. Of course it makes since to run a test directly, maybe even taking the router out of the mix and running directly into the modem. And also running a test from other systems on the local network. I'll give it a try.

Have you had odd behavior since the rewire or is this newer than that?

I believe I've encountered upload related bandwidth problems before the rewire.

Message was edited by: pianoman1976

Jul 7, 2009 12:05 PM in response to pianoman1976

Right. Always break things down to the most basic setup first, and if that works, go backwards from there.

pianoman1976 Author

Level 1

104 points

Jul 7, 2009 12:14 PM in response to pianoman1976

Could someone tell me what the two and sometimes three "ms" numbers are after each hop on the traceroute? I know these numbers represent the timing of the hop in milliseconds, yet I'm wondering why there is not just one ms measurement. Does the traceroute hit each hop multiple times and reflect a number for each hit?

Also, what is considered "normal" when it comes to these ms timing results? During times such as now when I'm encountering persistent upload bandwidth problems, but no download bandwidth problems - would this be reflected on a traceroute, or not?

I have found that every time I talk to the IT help desk at Road Runner they are always having me running traceroutes. I would like to know more about it so that I can do more of this type of diagnostic work on my own before having to call for help.

+traceroute to google.com (74.125.67.100), 64 hops max, 40 byte packets+
+1 192.168.1.1 (192.168.1.1) 1.696 ms 3.067 ms 0.681 ms+
+2 cpe-76-95-80-1.socal.res.rr.com (76.95.80.1) 14.739 ms 13.414 ms 11.610 ms+
+3 24.24.193.145 (24.24.193.145) 10.805 ms 12.279 ms 25.639 ms+
+4 ae5-chswca1-rtr2.socal.rr.com (66.75.145.28) 13.530 ms * 13.437 ms+
+5 ge-4-3-0.tustca1-rtr1.socal.rr.com (66.75.145.13) 15.420 ms * 14.944 ms+
+6 ae-5-0.cr0.lax30.tbone.rr.com (66.109.6.64) 15.826 ms 13.132 ms 16.781 ms+
+7 * ae-1-0.pr0.lax10.tbone.rr.com (66.109.6.131) 17.994 ms 17.375 ms+
+8 * 72.14.198.73 (72.14.198.73) 16.947 ms 17.989 ms+
+9 * 216.239.46.180 (216.239.46.180) 17.638 ms 16.526 ms+
+10 216.239.43.125 (216.239.43.125) 89.460 ms 89.369 ms *+
+11 72.14.239.131 (72.14.239.131) 87.910 ms 72.14.239.127 (72.14.239.127) 88.024 ms 86.270 ms+
+12 209.85.255.194 (209.85.255.194) 93.788 ms 98.438 ms 90.265 ms+
+13 * *+

Message was edited by: pianoman1976

Jul 7, 2009 12:25 PM in response to pianoman1976

Although not the definitive authority, I do believe that starting in Wikipedia is helpful: Traceroute

pianoman1976 Author

Level 1

104 points

Jul 7, 2009 12:55 PM in response to DaddyPaycheck

DaddyPaycheck wrote:
Right. Always break things down to the most basic setup first, and if that works, go backwards from there.

I took my entire local network and disconnected it from my cable internet provider and hooked it up to my satellite internet provider and everything runs fine.

So the problem seems to be related to my cable provider. I took a Mac and connected it directly to the cable modem, and did the same with an XP system. In both instances I was still having the same upload bandwidth issue.

Jul 7, 2009 12:59 PM in response to pianoman1976

Imagine that.

Have you contacted your isp?

pianoman1976 Author

Level 1

104 points

Jul 7, 2009 1:41 PM in response to DaddyPaycheck

Have you contacted your isp?

Oh yes. It's been some time since I've had this problem, yet I've had it quite frequently.

I've spent countless hours on the phone with upper tier techs at Road Runner. We always run a bunch of traceroutes and there never seems to be any idea as to why and where I'm having a problem. They always verify that indeed there is a problem though.

The last time I spoke to them, I was told to bring my modem in for an exchange. To me this seemed to sound like a stab in the dark, yet it looks like I'll have to give it a try before I call back.

I thought maybe this time around I could learn a bit more about it myself. I guess netstat and traceroutes aren't as useful as I had thought when it comes to this kind of thing.

Message was edited by: pianoman1976

Camelot

Level 9

58,563 points

Jul 7, 2009 4:33 PM in response to pianoman1976

Could someone tell me what the two and sometimes three "ms" numbers are after each hop on the traceroute? I know these numbers represent the timing of the hop in milliseconds, yet

The ms indicate milliseconds - the time it took for the reply to get back to you.

I'm wondering why there is not just one ms measurement. Does the traceroute hit each hop multiple times and reflect a number for each hit?

Because one ping is not a reliable measure.

Traceroute sends out three pings to each hop. That way you can wean additional information about your network connection. For example, if one hop returns in, say, 100ms you don't know much more than that, but if all three return in 100ms you know your connection is stable. Conversely, if three replies from the same hop come in at 20ms, 100ms, and 200ms you know that your network connection is all over the place because there's a 10x difference between the fastest and slowest reply - often an indicator of a saturated link.

Also, what is considered "normal" when it comes to these ms timing results?

There's no answer to this because the reply time relies on many factors, not least of which is physical distance between you and the hop in question (for example, if you live in San Diego you're going to get (or at least expect) lower response times when pinging a server in Los Angeles than you would pinging a server in Amsterdam.

The only way to determine 'normal' is to benchmark your connection. Run several traces to the same location at various times and day and normalize the results. Now you know what your data should look like and you can more easily spot issues (e.g. a certain node normally responds in 80ms but today it's running at 500ms).

I have found that every time I talk to the IT help desk at Road Runner they are always having me running traceroutes. I would like to know more about it so that I can do more of this type of diagnostic work on my own before having to call for help.

Running a traceroute yourself might help satisfy your curiosity, but it won't help solve the problem since you have no control over the routing path your data takes. It doesn't hurt to have this data available, but be aware that if you call up most company's tech support and tell them "i've run a traceroute and your router in XYZ is having a problem" they will (at least internally) laugh at you for being a smart alec and make you go through their normal troubleshooting steps, anyway.

For the most part, any professional network is going to have its own set of monitoring systems that automatically alert the operators as to a problem. They should be well aware of any issue well before customers start calling (and bear in mind the people who answer the phone are likely several levels removed from the people who actually manage the networks and the routers).

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Define this network behavior