This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

ACKed lost segment (common at capture start)

0

Hi,

When I'm looking at the expert info in a capture<I see these messages: ACKed lost segment (common at capture start) previous segment lost (common at capture start)

I'm running WS 1.4.9 on a VM server. The through put on the interface is avg. 45.8 Mbits/sec for a 5 minute period. Am I running into and issue with the interface because wireshark is not talking directly to it?

asked 27 Apr '12, 10:47

Rayzorx's gravatar image

Rayzorx
1111
accept rate: 0%


One Answer:

0

What you're seeing is that Wireshark has come across acknowledges for packets that it hasn't captured. That can happen at the beginning of a trace file if a conversation has already started (which is quite common), or - and that can be problematic sometimes - it is due to the fact that Wireshark dropped packets.

Dropped packets are packets that have been transfered and were seen by the network card Wireshark captures on, but it didn't pick it up. Usually the reason is that the write-to-disk speed isn't high enough to cope with the amount of data that has to be captured and written to file. In a VM environment it is more likely to happen than on a single box environment since the write commands have to share bandwidth with the other VMs that are living on the same storage. I guess especially when you're saying you're having 45.8 MBit/s for 5 minutes that there were bursts with much higher speeds that got averaged into a less eyebrow-raising speed.

answered 27 Apr '12, 14:22

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%