This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi all,

I'm rather new to being able to diagnose problems from tcpdumps so please forgive me. We're getting connectivity issues between two of ours sites, a dump of a http trace shows regular TCP retransmissions.

What are the next steps to diagnose what's going on, and more importantly how to fix it? Below is a small sample of the trace.

"132","22.431990","192.168.2.13","192.168.1.94","HTTP","[TCP Previous segment lost] Continuation or non-HTTP traffic"
"133","22.432062","192.168.1.94","192.168.2.13","TCP","[TCP Dup ACK 131#1] mns-mail > http [ACK] Seq=1756 Ack=44510 Win=65700 [TCP CHECKSUM INCORRECT] Len=0 SLE=45970 SRE=47430"
"134","22.433992","192.168.2.13","192.168.1.94","HTTP","Continuation or non-HTTP traffic"
"135","22.434066","192.168.1.94","192.168.2.13","TCP","[TCP Dup ACK 131#2] mns-mail > http [ACK] Seq=1756 Ack=44510 Win=65700 [TCP CHECKSUM INCORRECT] Len=0 SLE=45970 SRE=48890"
"136","22.436012","192.168.2.13","192.168.1.94","HTTP","Continuation or non-HTTP traffic"
"137","22.436082","192.168.1.94","192.168.2.13","TCP","[TCP Dup ACK 131#3] mns-mail > http [ACK] Seq=1756 Ack=44510 Win=65700 [TCP CHECKSUM INCORRECT] Len=0 SLE=45970 SRE=50350"
"138","22.437991","192.168.2.13","192.168.1.94","HTTP","Continuation or non-HTTP traffic"
"139","22.438067","192.168.1.94","192.168.2.13","TCP","[TCP Dup ACK 131#4] mns-mail > http [ACK] Seq=1756 Ack=44510 Win=65700 [TCP CHECKSUM INCORRECT] Len=0 SLE=45970 SRE=51810"
"140","22.439992","192.168.2.13","192.168.1.94","HTTP","Continuation or non-HTTP traffic"
"141","22.439997","192.168.2.13","192.168.1.94","HTTP","Continuation or non-HTTP traffic"
"142","22.440068","192.168.1.94","192.168.2.13","TCP","[TCP Dup ACK 131#5] mns-mail > http [ACK] Seq=1756 Ack=44510 Win=65700 [TCP CHECKSUM INCORRECT] Len=0 SLE=45970 SRE=53270"
"143","22.440087","192.168.1.94","192.168.2.13","TCP","[TCP Dup ACK 131#6] mns-mail > http [ACK] Seq=1756 Ack=44510 Win=65700 [TCP CHECKSUM INCORRECT] Len=0 SLE=45970 SRE=53624"
"144","22.444995","192.168.2.13","192.168.1.94","HTTP","[TCP Fast Retransmission] Continuation or non-HTTP traffic"
"145","22.445110","192.168.1.94","192.168.2.13","TCP","mns-mail > http [ACK] Seq=1756 Ack=53624 Win=65700 [TCP CHECKSUM INCORRECT] Len=0"

Any help would be greatly appreciated.

asked 01 Apr '11, 03:35

Alan%20Hollis's gravatar image

Alan Hollis
1113
accept rate: 0%


You probably need to describe in more detail waht "connectivity issues" you mean. Are you talking about initiating connections, or throughput issues or timeouts/pauses in your application, or something else?

The sample you have give is only for 14ms - a pretty short time period - yet a lot is happening, so it is possibly a fairly fast link. From what we can see, this connection is using SACK (selective acknowledgment) to recover from a lost packet. All this is fairly normal, and possibly the result of congestion.

permanent link

answered 01 Apr '11, 05:26

martyvis's gravatar image

martyvis
8911525
accept rate: 7%

Thank you very much for your reply.

At the time there was only one request coming from my machine to that host. I guess by congestion you mean other machines on the network using that link?.

The link between the two subnets is a 10 megabyte per second Ethernet link, which shouldn't be congested at all I don't believe. We have 7 machines in the office and maybe two of them in total SHOULD be communicating with this link at any one time? Would that be something worth investigating? The problem came to light because every so often a soap message we use to determine information about some software is failing, and generating alarms.

The trace is of a http request to a webserver sitting on the .2 subnet is that helps.

Thanks again for your reply it's very much appreciated.

Alan

permanent link

answered 01 Apr '11, 06:50

Alan%20Hollis's gravatar image

Alan Hollis
1113
accept rate: 0%

edited 01 Apr '11, 07:04

If you can post the actual packet capture somewhere, I'm sure more people can help you. But it looks to me like you have a duplex mismatch. Make sure the swtitchport and the NICs all match.

(01 Apr '11, 17:54) hansangb

Thanks again. The full csv file is here (http://www.alanhollis.com/work/tcpdump) unfortunately I didn't save the full dump. I'll have a go at looking at all the duplex settings now. Thanks for your reply!

(04 Apr '11, 00:56) Alan Hollis
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×752
×2

question asked: 01 Apr '11, 03:35

question was seen: 7,882 times

last updated: 04 Apr '11, 00:56

p​o​w​e​r​e​d by O​S​Q​A