TCP Trace Analysis for NFS

August 23rd, 2013

How do we know where latency comes from when  there is a disparity in reported I/O latency on  the I/O subsystem and that of the latency reported on the  client box requesting the I/O.

For example if I have an Oracle database requesting I/O  and Oracle says an 8Kb request takes 50 ms yet the I/O storage subsystem says 8Kb I/Os are taking 1ms (averages) , then where does the 49  extra ms come from?

When the I/O subsystem is connected to Oracle via NFS  then there are a lot of layers that could be causing the extra latency.

Screen Shot 2013-08-23 at 1.35.20 PM

Where does the difference in latency come from between NFS Server and Oracle’s timing of pread?

One strategy is to take tcp traces on NFS server and NFS client  (the Oracle Host) at the same time, during a period of load that shows the disparity.

The two trace files can then be analyzed to show latency at each side and the delta of latency between packets found in both traces


Files Required


Parsing script is ( thanks to Matt Amdur from Delphix for the  core code)

The script requires access to  tethereal command which comes with the wireshark install on LINUX:

      yum install wireshark

Example situation


For example in the following table stats were collected on the NFS server   (running Open Solaris) with DTrace and on the Oracle database using  The stats show the average latency for 8Kb read requests

Avg latency of 8Kb reads measured in ms

NFS Server Oracle
30.2 126.15
24.4 103.91
21.9 117.33
23.7 96.46
32 78.43
25.5 91.94

There is a substantial difference between the latency seen by NFS server and the latency seen by Oracle. Where is the latency coming from? Is it a problem on the NFS server, the NFS client or the network? How do we find out? One strategy is to collect TCP dumps on the NFS client and NFS server and compare them.

Setup problem situation

First, set up a situation where there is a load running on the database and there is a discrepancy between latency on NFS server and as seen by Oracle. During this period of latency discrepancy collect TCP traces. The traces will be large, so run them for 20 second for example, to limit the size.


Collecting TCP dumps

TCP dumps can be collected on Linux with tcpdump or  on Solaris with snoop:

NFS server (Solaris NFS server example)

snoop -q -d aggr0 -s 512 -o nfs_server.cap
  • -d : device
  • -o : output file, give “.cap” extension to be recognized automatically by wireshark
  • -s : amount of packet to keep

NFS client host is the IP at the end of the command line

Linux (linux client example)

tcpdump -s 512  host -w nfs_client.cap
  • -s : amount of packet to keep
  • -w : output file, give “.cap” extension to be recognized automatically by wireshark
  • host : IP of NFS server

Analyzing the Traces


The trace files can be analyzed on a linux machine with wireshark installed and with the script  on the two traces.

$ ./ nfs_server.cap nfs_client.cap
 ==================== RAW DATA ============

Parsing NFS server trace: nfs_server.cap
type       avg ms count
   READ : 18.10,  12493  
  WRITE : 30.08,   4918   

Parsing NFS client trace: nfs_client.cap
type       avg ms count  
   READ : 18.74,  25974 
  WRITE : 30.05,  10197   

 ==================== MATCHED DATA  ============

type       avg ms 
nfs server: 18.12
nfs_client: 19.26
     diff :  1.14 
Processed 14010 packets (Matched: 11964 Missed: 2046)

type       avg ms  
 server : 30.86    
 client : 31.83
   diff :  0.96 
Processed 5806 packets (Matched: 4391 Missed: 1415)

The script will find the average latency for reads and writes on both ends and then try to match the packets found both at the client and server and report the average latency for reads and writes on the packets that match.
In the above output the read time on on the NFS client receiving end is on par with what is seen on NFS server.
Thus if the receive time on the NFS client host is on par with the NFS server and Oracle latency is much greater than the receive time, then there looks to be some issue on the NFS client host machine such as heavy memory paging that would cause the latency seen by Oracle to be much higher than that seen by the tcp traces.


Example problem analysis


In the following 2 examples a swingbench load was run on the Oracle database on the NFS client. The database files were mounted via NFS from the NFS server. In one case the NFS client and database host was Open Solaris and in the other case it was LINUX. In both cases the Oracle database reported much slower latency than the NFS server threads.

test 1 ) Open Solaris is the NFS client

NFS Server is Open Solaris and NFS Server latency is measured with DTrace of using probes nfs start/done .

NFS client is a different machine running Open Solaris. Latency is measured from the Oracle perspective with

NFS Server Oracle
1.4 29.92
1.8 32.62
1.1 50.38
1.1 56.38
1.5 65.45
0.9 46.88
0.7 45.13
1.1 44.93
1 39.48
0.9 55.8


Test 1 TCP trace analysis

What do the tcp traces say? Tracing TCP on the NFS server side, and NFS client side indicates that the slow latencies are coming from the NFS server

 ==================== Individual HOST DATA ============
Parsing nfs server trace: nfs_server.cap
type       avg ms count   
   READ : 44.60,   7731    

Parsing client trace: client.cap
type       avg ms count    
   READ : 46.54,  15282    

 ==================== MATCHED DATA  ============
type       avg ms   
 server : 48.39,   
 client : 49.42,   
   diff :  1.03,    
Processed 9647 packets (Matched: 5624 Missed: 4023)

TEST 1 summary:

The NFS Server says it is responding with 1ms latency (from DTrace) but the TCP traces show latency more on the order of 48ms which is in alignment with what Oracle sees on the NFS client, thus the NFS server must be introducing the large latency somehow and not the client.


Test 2) LINUX NFS client

NFS Server is Open Solaris and NFS Server latency is measured with DTrace of using probes nfs start/done .

NFS client is a different machine running Linux. Latency is measured from the Oracle perspective with

NFS Server Oracle
0.1 35.73
0.1 58.9
0.1 44.88
0.1 54.43
0.1 54.57
0.1 63.92

Again we see the same stats as the first test case, ie the NFS Server says it’s latency is low and the Oracle database on the NFS client says the latency is slow

TCP trace analysis

==================== Individual HOST DATA ============
Parsing NFS server trace: nfs_server.cap
type       avg ms count   
   READ :  1.17,   9042            

Parsing client trace: client.cap
type       avg ms count    
   READ :  1.49,  21984   

==================== MATCHED DATA  ============
type       avg ms count    
 server :  1.03  
 client :  1.49
   diff :  0.46

Processed 13815 packets (Matched: 8169 Missed: 5646)
summary of test 2:

In this case the NFS Server TCP traces show fast latency as well as the NFS client TCP traces, thus the long latency times must be introduced on the client machine somehow and not the NFS Server.


Summary of test 1 and test 2

Tests are run with swingbench benchmark.
The Oracle databases are set with the parameter “filesystemio_options=SETALL” which enables direct I/O, so that all I/O requests from Oracle should be become NFS requests to NFS server.
Roughly the latency stats for 8k reads originating from the Oracle are


 Oracle on Linux  Oracle on Solaris  latency data source
 NFS Server  .1 ms   2 ms dtrace nfs:::op-read-start/op-read-done
 TCP trace NFS Server   1 ms  44 ms snoop
 TCP trace NFS Client   1.5  45 ms tcpdump on LINUX and snoop on Open Solaris
 Oracle  58 ms  47 ms “db file sequential read” wait (which is basically a timing of “pread” for 8k random reads specifically

Screen Shot 2013-08-23 at 2.09.43 PM

In the above examples there was nothing outstanding in the vmstat results on the NFS client and the NFS server.

In both cases the problem arose with high level of swingbench sessions. The latency disparity appeared above a user load of 16. The latency disparity increased as user load increased.

It turned out that in the case where the NFS server was introducing the disparity that the maximum NFS threads on the server was 16. The solution was to increase the NFS server thread max: sharectl set -p servers=512 nfs.

In the case where the LINUX client introduce the disparity it turns out that the maximum outstanding NFS requests was 16. The solution was to raise sunrpc.tcp_slot_table_entries = 128.

Screen Shot 2013-08-23 at 2.33.00 PM

The script didn’t find the answers but it did identify which side of the connection was at fault and it would identify if the network itself was the problem.

One thing to keep in mind is that snoop and tcpdump can be resource intensive and may introduce a major amount of latency. In the above cases with and without tcp tracing enabled showed no more than 1ms of difference and the latency being investigated was an order of magnitude greater. In other cases where there has been more I/O between the NFS server and client and/or the transfer sizes were higher (like 1M) then the impact of TCP tracing has eclipsed the latency disparity being investigated and  tcp tracing would not have been appropriate investigation path.


Other information

, , ,

  1. Trackbacks

  2. No trackbacks yet.

  2. mimmus
    | #1

    Hi, the test command is:
    dd if=/dev/zero of=mmm bs=1024 count=1000000

    The transfer occurs on a 10 Gbps network but it lasts +60 secs!!! On another server with same setup, it lasts 4-5 secs!
    Mount options are:
    (Oracle suggests these).

    I tested network using iperf and I can achieve almost 10 Gbps full, the bottleneck is elsewhere.

  3. khailey
    | #2

    Have you tried using netio, netsurf or iperf instead of dd?
    Have you tried bs=32768?
    A bs=1024 is small.
    if “mmm” is a location on an NFS server and
    NFS transfers are going to take around 200us on the fast side.
    and if a transfer is 1024 that is 1K then that’s 5k/ms or 5M/sec 300MB/min which is even slower than you are seeing.
    In this case I would guess there is some aggregation going on already to hit 1GB/m
    If your NFS exchanges are 12ms then the transfer sizes have to be around 200K
    So in that case why not increase your bs explicitly?

    For transfer rates it depends on the layers :
    program, dd in this case
    os, nfs client
    tcp nfs client
    nic, nfs client
    nic nfs server
    tcp nfs server
    os nfs server
    nfs on nfs server
    I/O nfs server
    you want to see which layer the time is being spent

    you are doing a dd write from nfs client to nfs server so first big question is how fast is the I/O write speed on the NFS server.
    The script on this blog post isolates latency at the nfs client tcp layer to the nfs server tcp layer
    if both those layers are slow then the problem is on the nfs server at either the nfs server os, nfs code path or I/O
    The script on this blog post doesn’t look at transfer sizes. It should for cases like this. In my case I knew the transfer sizes were 8K. In your case the transfer size has to be bigger than 1K if you are seeing 1GB/min with 12-13ms NFS exchanges.

  4. khailey
    | #3

    You can also use dd with ramdisk and/or memory mapped files to cut out the file system.

    For dd to avoid file system caching with multiple runs, on Linux you can use flags like

    dd if=/dev/zero of=toto bs=8k count=100 oflag=direct
    dd of=/dev/null if=toto bs=8k count=100 iflag=direct

  5. Sergey Fedosov
    | #4

    Good day!
    Thanks for the article. Please help with the problem.
    There is a linux server with NFS on a closed private network. Shared folder stores various documents (pdf, doc, mp4, etc.). I have to understand what documents the user opens (download). Interested in all of the packages in which there is a corresponding request from the user machines.
    For the analysis of queries wanted daily dump filtered packages, and then build statistics. The problem is that I can not understand which dump options/filters are better to use. Analysis of the dump and unload in csv planned to organize in Wireshark, also can not understand how to build the filter in it.
    In fact, it is necessary that csv store the information about the src (which came with the read request of the file), date+time, the name of the opened file.
    Faced with the fact that the packages “-s512 -vv” you can find info about the requested files, but there also goes a lot of unneeded information, the size of the dump is very large. Filenames are readable in dump file opened with a text editor, but if you open it in wireshark, you can see only extensions but the filenames are unreadable, because of non-latin Can you help with gathering needed statistics with tcpdump/wireshark?

nine − 2 =