This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What do dropped packets look like ?

0

Im using wireshark to measure command to response times as I slam a server with high rate messaging. Every once in a while a message is an outlier duration wise. It may be just dropped packets as seen at http://cloudshark.org/captures/0995a4524824 . Thanks for inputs.

asked 26 Jan '13, 20:39

dogma's gravatar image

dogma
11114
accept rate: 0%

edited 26 Jan '13, 20:45


One Answer:

1

What you have in that trace are expert messages saying "acked unseen segment" and "previous segment not captured".

  • "acked unseen segment" is a message that basically tells you that there was an acknowledge to a data packet that you do not have in your capture, but the receiver got it. This means that your capture device was to slow to pick that data packet, you only got the ACk. Which is quite often the case because ACK packets are small (unless the ACK is piggybacked on some data) and so the chances of being captured are higher.
  • "previous segment not captured" either means that the packet was lost on the way, so neither the receiver nor the capture device got it. Or it got through to the receiver but the capture device didn't record it for performance reasons. Usually you'd have to track to the gap in the sequence numbers and check if there is a retransmission (which would indicate a packet loss, unless it is just an out-of-order - it can get very complicated :-)), or if you find an ACK to that "lost" packet you know that it was dropped by the capture device - because the receiver got it.

answered 27 Jan '13, 03:37

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%