Hi, When I'm looking at the expert info in a capture<I see these messages: ACKed lost segment (common at capture start) previous segment lost (common at capture start) I'm running WS 1.4.9 on a VM server. The through put on the interface is avg. 45.8 Mbits/sec for a 5 minute period. Am I running into and issue with the interface because wireshark is not talking directly to it? asked 27 Apr '12, 10:47  Rayzorx |
One Answer:
What you're seeing is that Wireshark has come across acknowledges for packets that it hasn't captured. That can happen at the beginning of a trace file if a conversation has already started (which is quite common), or - and that can be problematic sometimes - it is due to the fact that Wireshark dropped packets. Dropped packets are packets that have been transfered and were seen by the network card Wireshark captures on, but it didn't pick it up. Usually the reason is that the write-to-disk speed isn't high enough to cope with the amount of data that has to be captured and written to file. In a VM environment it is more likely to happen than on a single box environment since the write commands have to share bandwidth with the other VMs that are living on the same storage. I guess especially when you're saying you're having 45.8 MBit/s for 5 minutes that there were bursts with much higher speeds that got averaged into a less eyebrow-raising speed. answered 27 Apr '12, 14:22  Jasper ♦♦ |
