This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP analysis

0

Hi all,

Could anyone please explain the difference between "tcp.analysis.lost_segment" and "tcp.analysis.ack_lost_segment"?. My goal is to make some counting on what is the percentage of lost packet during tcp communication. Or, if you have any better idea how to do this.

Thank you VERY MUCH,

radim

asked 09 Apr '13, 10:16

radim0574's gravatar image

radim0574
11334
accept rate: 0%


One Answer:

1

"tcp.analysis.lost_segment" is a message that tells you that Wireshark has seen a gap in the sequence numbers of a conversation. That usually indicates either a lost packet or an out-of-order arrival, which means it is not always a critical thing.

"tcp.analysis.ack_lost_segment" means that Wireshark has seen an acknowledgement number for a sequence number that is hasn't seen, so basically you have a confirmation that some data arrived at the receiver while Wireshark hasn't seen that data itself.

answered 09 Apr '13, 10:20

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

thank you very much, it looks like it doesnt solve my problem. Do you know the best way how to count dropped packets on my tcp communication? Im finishing my bachelor thesis and got stuck with that. I`m a bit confused with the "analysis" filters. I need to compare how many packets were dropeed in various communications.

thank you,

radim

(09 Apr '13, 10:38) radim0574

dropped packets are not easy to track unless you are certain that your capture didn't miss any packet while recording the conversation. Since you mentioned "tcp.analysis.ack_lost_segment" I guess that you had that kind of symptom in your trace, which would mean that your capture did in fact miss packets that were transmitted.

The only solid way of counting dropped conversation packets (meaning that the packet didn't get through to the receiver and had to be retransmitted) is by looking for lost segments that are followed by matching retransmissions AND by making sure that they are not just out-of-orders. Deciding what retransmission is a real retransmission and what is an out-of-order needs to be done by comparing retransmission delay to round trip time, and can be difficult and/or tedious.

(09 Apr '13, 10:46) Jasper ♦♦

ok, I do my counting on wireless network. what if i included ALL retransmitted packets in my counting, meaning it doesnt matter if its out-of-order or not being received by receiver. does it make sense to you?the thing is i need to compare SOME values between different TCP variants (e.g. TCP Cubic, TCP Vegas, TCP Illinois etc..)

(09 Apr '13, 11:00) radim0574

Out-of-orders are not lost packets, so if you want to determine real packet loss you must sort out-of-orders out. It depends on your goal basically - if someone asks you about drops vs. out-of-orders you should have an explanation of how they're related and what you did when you counted them.

(09 Apr '13, 11:05) Jasper ♦♦

thank you, It looks like youre a network professional. Could it be possible to have a chat e.g. on skype? Im in a huge press with the thesis and would appreciate ANY help from some professional.

thank you very much,

radim

(09 Apr '13, 11:10) radim0574

I could offer ICQ or MSN if you want.

(09 Apr '13, 11:21) Jasper ♦♦

ok, i understand, so would it be any other way of how to get in touch with you?

thank you in advance,

radim

(09 Apr '13, 11:36) radim0574

well, email should work, jasper [at] packet-foo.com.

(09 Apr '13, 11:37) Jasper ♦♦

ok, i understand, please, could it be any other way of how to get in touch with you? I wouldnt take up much of your time. thats my last measurement, and I`m completely lost in that.

Thank you in advance,

radim

(09 Apr '13, 11:40) radim0574

If you mean voice chat, I don't have that since there's no microphone connected to my PC at the moment.

(09 Apr '13, 11:43) Jasper ♦♦

sorry, somehow i didnt your previous comments, ive just sent you an email

radim

(09 Apr '13, 11:43) radim0574
showing 5 of 11 show 6 more comments