This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Losing connection

0

I have a very large capture of a server losing connection from the network for a second once a day, but everything is working fine from that point according to the user. Took a large capture of the communication, and I copy and paste a few lines here. I see the same dup ack and then a retransmission. I looked at the dup ack number which all point back to 445056 frame and the retransmission give a reason of unknown packet type. What does that mean, can some explain that to me please? And what is going on with the retransmission? I checked my network from end to end an no problems were found on the wire.

Thanks for the help in advance.

445056  839.680751089   0.000004609 10.97.17.12 10.97.2.123 TDS 762 [TCP Previous segment not captured] Unknown Packet Type: 108 (Not last buffer)[Unreassembled Packet]

445078  839.683686190   0.000093960 10.97.2.123 10.97.17.12 TCP 68  [TCP Dup ACK 445065#1] 49563 > ms-sql-s [ACK] Seq=819300 Ack=129873434 Win=64240 Len=0
445080  839.683761089   0.000042029 10.97.2.123 10.97.17.12 TCP 68  [TCP Dup ACK 445065#3] 49563 > ms-sql-s [ACK] Seq=819300 Ack=129873434 Win=64240 Len=0
445081  839.683798120   0.000037031 10.97.2.123 10.97.17.12 TCP 68  [TCP Dup ACK 445065#4] 49563 > ms-sql-s [ACK] Seq=819300 Ack=129873434 Win=64240 Len=0
445083  839.683858510   0.000032081 10.97.2.123 10.97.17.12 TCP 68  [TCP Dup ACK 445065#6] 49563 > ms-sql-s [ACK] Seq=819300 Ack=129873434 Win=64240 Len=0
445090  839.684140370   0.000060241 10.97.17.12 10.97.2.123 TDS 1522    [TCP Fast Retransmission] Unknown Packet Type: 108 (Not last buffer)[Unreassembled Packet]

asked 14 Apr ‘13, 22:22

Ernest%20Johnson's gravatar image

Ernest Johnson
266612
accept rate: 0%

edited 15 Apr ‘13, 01:19

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237

a server losing connection from the network for a second once a day

by ‘losing connection’, what do you actually mean? Lost packets or a lost connection (FIN, RST, etc.)?

(15 Apr ‘13, 00:56) Kurt Knochner ♦

Thanks Kurt I thanks I got the answers there or not FIN RST just a lot of what just a lot of unknown packets and after a while it would retransmit the unknown packet. But Jasper answered it for me it is a database Protocol to WS can’t interpret

Thanks

(15 Apr ‘13, 07:34) Ernest Johnson

O.K.

BTW: did you read my answer? It’s a possible explanation for the Retransmits.

(15 Apr ‘13, 07:47) Kurt Knochner ♦

yes it helped

(15 Apr ‘13, 09:41) Ernest Johnson

2 Answers:

1

"Unknown packet type" means that Wireshark could not decode it any further, which (in my experience) happens a lot if Wireshark thinks that the content is a database protocol and cannot interpret it.

The retransmission doesn't look special and comes in as expected without much time loss, so I doubt that you have a problem there. Packet loss is normal in every network; it just should not be excessive.

answered 15 Apr '13, 01:08

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

which (in my experience) happens a lot if Wireshark thinks that the content is a database protocol and cannot interpret it.

That's right. The only file where the string "Unknown Packet Type:" appears in the code is packet-tds.c, which is the dissector for TDS, a protocol used by MS SQL Server.

(15 Apr '13, 01:28) Kurt Knochner ♦

Thanks Jasper looking at the the full trace, there are the Unknown packet types # and after about 6 dup ack for the same number it would retransmit for the packet.

(15 Apr '13, 07:39) Ernest Johnson

1

a server losing connection from the network for a second once a day

If you mean lost packets, this could be totally normal, as @Jasper said.

One of these 'normal processes' may be an ARP table refresh. See my answer to the following question:

http://ask.wireshark.org/questions/12655/why-causes-arp-request-a-tcp-previous-segment-lost

Your one second connection loss, may be caused by an ARP table refresh. Do you see ARP packets for the involved systems (client, server, router) during that one second period?

Regards
Kurt

answered 15 Apr '13, 01:13

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%