Dynatrace is showing that an interface on a monitored server is hitting as high as 20% retransmissions under less than 50% load. When I get a packet capture during this period and review it in Wireshark there are less than 1% retransmissions. Trying to understand the difference. Only thought I have is when SACK is enabled Dynatrace might be counting such packets as retransmissions because the ACK stays the same when SLE and SRE are changing. Appreciate any comments/thoughts.
If you are seeing what you describe in Wireshark, than it seems an interesting observation. I would check the output of some of the system commands described in the following two links, for further information on how retransmissions are collected in Dynatrace:
I also noticed that Dynatrace shows retransmissions as host and process retransmissions. In the case I have, host retransmissions are shown as about 2% but process retransmissions are shown as 14%. I don't understand this difference. During a 5 second interval, the packet capture shows 179,000 packets with 439 retransmissions and 7100 duplicate ACKs (most with SLE and SRE). This results in .2% retransmission rate. If I include the dup ACKs, the rate is 4.1%.
What is host retransmission vs process retransmission?
@Al C., I get it, your problem is with the process values. Are these Windows servers?
In any case, I would suggest that you open a support ticket on this, as you have additional data. If these are really Windows servers, it seems to me that it might be related to an issue I dealt with support and should be tackled this quarter. You can eventually tell them that you have had this conversation here, and that I have told you that it might be possibly related to the issue in SUP-49516. Might accelerate some things...