I recently inherited a large airport network and I'm performing Wireshark analysis to get a feel of what is being transmitted. I'm seeing a lot of Dup Acks, TCP Retransmits and Reassembling. The trace that I will post was between two computers performing a simple file transfer. The two computers are attached to the same Cisco switch, member of the same VLAN and in the same building. I'm seeing no errors or drop packets when I look at the switchport. Do I have a network issue or is it the configuration of Wireshark. Thanks
asked 02 Aug '12, 09:30
First of all... almost 400MB of trace file are not exactly a good thing to post, because you can't expect anyone to take a look at that much data in detail. You should reduce trace files to a size that is showing your problem in as few packets as possible, so people will be more willing to spend their time to help you.
And yes, it looks like you have a problem with lost frames that trigger fast retransmissions. The lost frames are not the real problem, because they tend to happen in any network. Unfortunately you did not capture the three way handshake, but I guess your PCs are using window scaling and quite large receive windows. Because of it when a frame gets lost it takes a while to retransmit since the sender is pushing out tons of packets due to the large window, and so the retransmission comes in late after a ton of duplicate acks. This is a quite common thing to see these days, especially since Windows Vista/7/2008/2008R2.
See @landi's Sharkfest talk "A-18: Effects of Receiver-Side Window Scaling on Enterprise Networks" at http://sharkfest.wireshark.org/sharkfest.12/index.html
answered 02 Aug '12, 11:27
edited 02 Aug '12, 11:29