This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Citrix server capture showing Duplicate Acks and Retransmits

I have a client complaining of delays in printing to a printer connected off of a Citrix server. Wireshark capture on the Citrix server shows a ton of Dup ACKs and retransmits. The Duplicate Acks appear to be happening to fast to be real. I am hoping someone can help analyze this capture http://www.cloudshark.org/captures/2046db994407

I'm trying to determine a possible cause of the dup acks. The host ip is 172.18.30.28 and the citrix server ip is 172.26.19.101

I assume the TCP retransmits are being seen because there was no ACK to the previous TCP segment.

duplicate wireshark acks tcp retransmits

asked 01 May '13, 12:34

sbaker00
11●1●1●3
accept rate: 0%

Are you sure that this is a print job? The packets are all pretty small (average packet size is 76 bytes) and they are priorized as class 2, while most print jobs I have seen so far use prio class 3.

Otherwise it looks like you've got massive packet loss (Wireshark notices this as "previous segment not captured") with massive retransmissions coming in.

(01 May '13, 12:46) Jasper ♦♦

Strange thing is that I can ping between the client and server all day without any packet loss and response times are good.

(01 May '13, 13:16) sbaker00

2 Answers:

Pings are not a good thing to compare TCP or UDP transmissions to, because they're small and have delta times that are often measured in seconds instead of milliseconds.

The problem I have with your trace is that there is no indicator why the packets are lost, and the retransmissions seem to be quite massive after the initial communication is just doing fine for about 10 seconds. Maybe there are other data transfers hogging the network while the packets are lost, but that can't be seen in the trace. You have 204 lost segments, but 11749 retransmission, which seems to be cause by packets being retransmitted multiple times until they finally get accepted. Example: filter for "tcp.seq==1660 or tcp.ack==1660" (with relative TCP sequence numbers) and you'll see 10 retransmissions for the same packet, and just one acknowledge. So I think the receiver is having some sort of trouble with the incoming packets, or they get lost in the path somewhere.

You might want to do a capture at the server and the printer at the same time to see what packets you see on both ends.

answered 01 May '13, 13:48

Jasper ♦♦
23.8k●5●51●284
accept rate: 18%

0	is/was there a VIP involved? if so, make sure you are only using the vip or only the server ip to communicate with the printer, not both. answered 23 Dec '14, 10:18 slicerpro 11●1 accept rate: 0%