LARTC - Jan 2002 - Wonder Shaper problem?

I think I have an issue with the Wonder Shaper script.  I setup my 
firewall to use the Wonder Shaper script with HTB (instead of CBQ).  My 
firewall has Squid running in transparent proxy mode, but I setup my 
browser to point to port 3128 (default Squid port).  I ran a ping 
session to www.yahoo.com and did an SSH at the same time that I 
downloaded the Linux kernel (~20MB).  It appears that most (if not all) 
of the traffic is being placed into the high priority class (queue? 
don''t really know the difference yet) 10:.  Isn''t it supposed
to go to
20: if it''s not SSH or ICMP or ACK packets?  Here are the ping times 
from Yahoo! while doing the kernel download:

sh-2.05# ping www.yahoo.com
PING www.yahoo.akadns.net (64.58.76.227): 56 data bytes
64 bytes from 64.58.76.227: icmp_seq=0 ttl=241 time=1959.8 ms
64 bytes from 64.58.76.227: icmp_seq=1 ttl=241 time=1993.4 ms
64 bytes from 64.58.76.227: icmp_seq=2 ttl=241 time=2018.8 ms
64 bytes from 64.58.76.227: icmp_seq=3 ttl=241 time=1872.8 ms
64 bytes from 64.58.76.227: icmp_seq=4 ttl=241 time=1895.7 ms
64 bytes from 64.58.76.227: icmp_seq=5 ttl=241 time=2003.9 ms
64 bytes from 64.58.76.227: icmp_seq=6 ttl=241 time=2026.3 ms
64 bytes from 64.58.76.227: icmp_seq=7 ttl=241 time=2049.0 ms
64 bytes from 64.58.76.227: icmp_seq=8 ttl=241 time=2075.7 ms
 
--- www.yahoo.akadns.net ping statistics ---
11 packets transmitted, 9 packets received, 18% packet loss
round-trip min/avg/max = 1872.8/1988.3/2075.7 ms

As you can see, they are very high, on the order of 2 seconds!!!??

When I stopped the kernel download, the ping results dropped to:

sh-2.05# ping www.yahoo.com
PING www.yahoo.akadns.net (64.58.76.176): 56 data bytes
64 bytes from 64.58.76.176: icmp_seq=0 ttl=241 time=178.1 ms
64 bytes from 64.58.76.176: icmp_seq=1 ttl=241 time=179.1 ms
64 bytes from 64.58.76.176: icmp_seq=2 ttl=241 time=179.1 ms
64 bytes from 64.58.76.176: icmp_seq=3 ttl=241 time=179.3 ms
64 bytes from 64.58.76.176: icmp_seq=4 ttl=241 time=179.6 ms
64 bytes from 64.58.76.176: icmp_seq=5 ttl=241 time=179.2 ms
 
--- www.yahoo.akadns.net ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max = 178.1/179.0/179.6 ms

Here is the output of ''tc -s qdisc list'':

sh-2.05# tc -s qdisc list
qdisc ingress ffff: dev eth0
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
 
 qdisc sfq 20: dev eth0 quantum 1514b perturb 10sec
 Sent 44775 bytes 401 pkts (dropped 0, overlimits 0)
 
 qdisc sfq 10: dev eth0 quantum 1514b perturb 10sec
 Sent 166751 bytes 2494 pkts (dropped 0, overlimits 0)
 
 qdisc htb 1: dev eth0 r2q 10 default 20 dcache 0
 deq_util 1/1000000 deq_rate 0 trials_per_deq 0
 dcache_hits 0 direct_packets 0
 Sent 211526 bytes 2895 pkts (dropped 0, overlimits 0)

During the download and the ping, the SSH session is extremely sluggish. 
 But once both are stopped, the SSH session is very usable.

I''m using the 2.4.16 kernel patched with the HTB patch.

-- 
Jason A. Pattie
pattieja@pcxperience.com

On Wed, Jan 02, 2002 at 10:20:03AM -0600, Jason A. Pattie
wrote:
> I think I have an issue with the Wonder Shaper script.  I setup my 
> firewall to use the Wonder Shaper script with HTB (instead of CBQ).  My 
> firewall has Squid running in transparent proxy mode, but I setup my 
> browser to point to port 3128 (default Squid port).  I ran a ping 
> session to www.yahoo.com and did an SSH at the same time that I 
> downloaded the Linux kernel (~20MB).  It appears that most (if not all) 
> of the traffic is being placed into the high priority class (queue? 
> don''t really know the difference yet) 10:.  Isn''t it
supposed to go to
> 20: if it''s not SSH or ICMP or ACK packets?  Here are the ping
times
> from Yahoo! while doing the kernel download:
tcpdump a bit - it may be that squid is misbehaving and giving its traffic
''minimum delay'' TOS!

tcpdump -n -v -v

Regards,

bert

-- 
http://www.PowerDNS.com          Versatile DNS Software & Services
http://www.tk                              the dot in .tk
Netherlabs BV / Rent-a-Nerd.nl           - Nerd Available -
Linux Advanced Routing & Traffic Control: http://ds9a.nl/lartc

Would that require tcpdump on the firewall? or could I run tcpdump 
somewhere else on the network?  I''m trying to keep as many tools off
the
firewall as possible.  But I''ll put tcpdump into the distro for
testing.

bert hubert wrote:
>On Wed, Jan 02, 2002 at 10:20:03AM -0600, Jason A. Pattie wrote:
>
>>I think I have an issue with the Wonder Shaper script.  I setup my 
>>firewall to use the Wonder Shaper script with HTB (instead of CBQ).  My 
>>firewall has Squid running in transparent proxy mode, but I setup my 
>>browser to point to port 3128 (default Squid port).  I ran a ping 
>>session to www.yahoo.com and did an SSH at the same time that I 
>>downloaded the Linux kernel (~20MB).  It appears that most (if not all) 
>>of the traffic is being placed into the high priority class (queue? 
>>don''t really know the difference yet) 10:.  Isn''t it
supposed to go to
>>20: if it''s not SSH or ICMP or ACK packets?  Here are the ping
times
>>from Yahoo! while doing the kernel download:
>>
>
>tcpdump a bit - it may be that squid is misbehaving and giving its traffic
>''minimum delay'' TOS!
>
>tcpdump -n -v -v
>
>Regards,
>
>bert
>
-- 
Jason A. Pattie
pattieja@pcxperience.com

Where in the output of tcdump does the TOS field appear?  I did the 
''tcpdump -n -v -v'' on the firewall and dumped the output to a
file as I
started the Linux kernel download.  Is it appropriate to attach the 
output (I stopped it after around 250 packets)?

bert hubert wrote:
>On Wed, Jan 02, 2002 at 10:20:03AM -0600, Jason A. Pattie wrote:
>
>>I think I have an issue with the Wonder Shaper script.  I setup my 
>>firewall to use the Wonder Shaper script with HTB (instead of CBQ).  My 
>>firewall has Squid running in transparent proxy mode, but I setup my 
>>browser to point to port 3128 (default Squid port).  I ran a ping 
>>session to www.yahoo.com and did an SSH at the same time that I 
>>downloaded the Linux kernel (~20MB).  It appears that most (if not all) 
>>of the traffic is being placed into the high priority class (queue? 
>>don''t really know the difference yet) 10:.  Isn''t it
supposed to go to
>>20: if it''s not SSH or ICMP or ACK packets?  Here are the ping
times
>>from Yahoo! while doing the kernel download:
>>
>
>tcpdump a bit - it may be that squid is misbehaving and giving its traffic
>''minimum delay'' TOS!
>
>tcpdump -n -v -v
>
>Regards,
>
>bert
>
-- 
Jason A. Pattie
pattieja@pcxperience.com

On Wed, Jan 02, 2002 at 12:04:28PM -0600, Jason A. Pattie
wrote:
> Where in the output of tcdump does the TOS field appear?  I did the 
> ''tcpdump -n -v -v'' on the firewall and dumped the output
to a file as I
> started the Linux kernel download.  Is it appropriate to attach the 
> output (I stopped it after around 250 packets)?
In the version I have of tcpdump TOS only shows up when its set to
something special.
-- 
Michael T. Babcock
CTO, FibreSpeed Ltd.     (Hosting, Security, Consultation, Database, etc)
http://www.fibrespeed.net/~mbabcock/

Found the TOS field was being set to 0x10 for "ftp" traffic and 0x08
for
"http" traffic.  What significance does that play?  And it is either 
being done by Squid or by Mozilla, don''t know how to tell which,
though.

Michael T. Babcock wrote:
>On Wed, Jan 02, 2002 at 12:04:28PM -0600, Jason A. Pattie wrote:
>
>>Where in the output of tcdump does the TOS field appear?  I did the 
>>''tcpdump -n -v -v'' on the firewall and dumped the
output to a file as I
>>started the Linux kernel download.  Is it appropriate to attach the 
>>output (I stopped it after around 250 packets)?
>>
>
>In the version I have of tcpdump TOS only shows up when its set to
>something special.
>
-- 
Jason A. Pattie
pattieja@pcxperience.com

So then is there a way to modify the packet on the way out of squid to 
force it to be the TOS we want that will cause it to go to 20: instead 
of 10: ?  Maybe modification of squid is in order? to keep it from 
changing the TOS field?  (We have the source!  :) )

Or is there some other way to make it so that SSH traffic itself is 
bumped to higher priority than just the generic 0x10 TOS packets?  Maybe 
match on destination or source port 22?

Dhaval Patel wrote:
>i could be wrong its been some time since i did this but i think that 0x10
is
>for quick response time 0x08 is for high throughput  0x04 is for a more
>guranteed service or something like that. 
>
>hope this helps.
>
>"Jason A. Pattie" <pattieja@pcxperience.com> said:
>
>>Found the TOS field was being set to 0x10 for "ftp" traffic
and 0x08 for
>>"http" traffic.  What significance does that play?  And it is
either
>>being done by Squid or by Mozilla, don''t know how to tell
which, though.
>>
>>Michael T. Babcock wrote:
>>
>>>On Wed, Jan 02, 2002 at 12:04:28PM -0600, Jason A. Pattie wrote:
>>>
>>>>Where in the output of tcdump does the TOS field appear?  I did
the
>>>>''tcpdump -n -v -v'' on the firewall and dumped
the output to a file as I
>>>>started the Linux kernel download.  Is it appropriate to attach
the
>>>>output (I stopped it after around 250 packets)?
>>>>
>>>In the version I have of tcpdump TOS only shows up when its set to
>>>something special.
>>>
>>-- 
>>Jason A. Pattie
>>pattieja@pcxperience.com
>>
>>
>>
>>
>>_______________________________________________
>>LARTC mailing list / LARTC@mailman.ds9a.nl
>>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/lartc/
>>
>
>
>
-- 
Jason A. Pattie
pattieja@pcxperience.com

you can have your firewall set the tos for ftp to something like 0x08 and keep
only low bandwidth high priority things like ssh as 0x10.

"Jason A. Pattie" <pattieja@pcxperience.com> said:
> So then is there a way to modify the packet on the way out of squid to 
> force it to be the TOS we want that will cause it to go to 20: instead 
> of 10: ?  Maybe modification of squid is in order? to keep it from 
> changing the TOS field?  (We have the source!  :) )
> 
> Or is there some other way to make it so that SSH traffic itself is 
> bumped to higher priority than just the generic 0x10 TOS packets?  Maybe 
> match on destination or source port 22?
> 
> Dhaval Patel wrote:
> 
> >i could be wrong its been some time since i did this but i think that
0x10 is
> >for quick response time 0x08 is for high throughput  0x04 is for a more
> >guranteed service or something like that. 
> >
> >hope this helps.
> >
> >"Jason A. Pattie" <pattieja@pcxperience.com> said:
> >
> >>Found the TOS field was being set to 0x10 for "ftp"
traffic and 0x08 for
> >>"http" traffic.  What significance does that play?  And
it is either
> >>being done by Squid or by Mozilla, don''t know how to tell
which, though.
> >>
> >>Michael T. Babcock wrote:
> >>
> >>>On Wed, Jan 02, 2002 at 12:04:28PM -0600, Jason A. Pattie
wrote:
> >>>
> >>>>Where in the output of tcdump does the TOS field appear?  I
did the
> >>>>''tcpdump -n -v -v'' on the firewall and
dumped the output to a file as I
> >>>>started the Linux kernel download.  Is it appropriate to
attach the
> >>>>output (I stopped it after around 250 packets)?
> >>>>
> >>>In the version I have of tcpdump TOS only shows up when its set
to
> >>>something special.
> >>>
> >>-- 
> >>Jason A. Pattie
> >>pattieja@pcxperience.com
> >>
> >>
> >>
> >>
> >>_______________________________________________
> >>LARTC mailing list / LARTC@mailman.ds9a.nl
> >>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/lartc/
> >>
> >
> >
> >
> 
> -- 
> Jason A. Pattie
> pattieja@pcxperience.com
> 
> 
> 
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/
> 


--