Rogue Packets

SLAC Home Page

IEPM has been tracking anomolous ping reports since October of 1998, initially to track down reports of negative packet loss and later to monitor out of order packets, which we expect will greatly affect performance of VoIP applications.

Negative Packet Loss

Occassionally a pingtable report indicates a negative packet loss, that is more packets were received than sent. It is possible for a router to duplicate packets and for both to be received by the end node, but a majority of the time the packet gain we observe is due to what we have dubbed "rogue" packets. In all cases 10 pings are sent to a remote site, but somehow the replies from this pings get mixed with replies from another site. In all cases the other site is (a node at ). The pings to the site were sent out earlier and one or more were presumed lost. When the packets were being counted in from the intended remote site, one of these rogue packets returned, and ping stops counting when it receives ten packets back, but it only counts the packets from the intended remote site in the packets sent, so some number less than 10 are sent but 10 are received hence the packet loss is reported as negative.

Between October 29 1998 and Jun 23 1998, there were 130 incidents to 93 separate intended remote sites where negative packet loss was reported. The graphs show the rogue time as they occured chronologically, and in ascending order. The maximum rogue time is 94309 ms (94039 is also SLAC's zip code !)

Rogue Time
Rogue Ordered

Out of Order Packets

Between Dec 8 and Jul 8 (7 months) we observed 1374 samples of probes containing out-of-order packets, that is the icmp_seq numbers were not received in the order they were sent.

Several sites are associated with this more than others:

pings between slac and ( resulted in out of order packets 998 times. 84 times ( 29 times ( 22 times

Back to top

Revised 30 June 1999
Comments to