This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP client does not send DUP ACKs for lost packets

0

Hello people,

I am working on a capture from wireshark, and the TCP client sometimes does not send a DUP ACK or may be it is lost by the network? I have a duplex link with 1 percent packet loss. Wireshark reports that "previous segment not captured", which is true but the DUP ACK is not sent for the missing segment.

The next ACK from the client is a sequence number higher than the "lost" packet. The sender just sends the segment with expected sequence number and does not send the "lost" packet.

I am analyzing delays for each segments of video frame, but I cannot find the "lost" segment in the receiver.

Thanks in advance!

asked 26 Jul '16, 08:19

Varisetty's gravatar image

Varisetty
11336
accept rate: 0%


One Answer:

2

The fact that Wireshark reports "Previous segment not captured" means that the missing packet is not in your trace file, but the fact that the client does not send duplicate ACKs AND the next ACK is a higher number than the lost packet means that the client actually did receive that packet.

If the packet was actually received, but it's not in your trace file, the most likely causes are:

1) There is asymmetric routing, and not all packets went past your capture point;

2) Wireshark simply couldn't keep up. The packet showed up, but wasn't written into the trace file.

answered 26 Jul '16, 09:18

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

thanks Jim for the answer, but the network topology is very small with no asymmetrical routing. In this case, the packet arrived on the interface but not captured into the wireshark trace file?

(27 Jul '16, 06:08) Varisetty

On top of packet loss during capture, which happens when capturing a relatively heavy traffic using relatively weak machines, another reason for this may be TCP offload provided by the network card if you happen to capture on the card through which the traffic actually runs. With TCP offloading switched on, the capturing filter (libpcap, WinPcap, NPcap) may not get all frames. If it is your case, the remedy is to disable TCP offloading in your network card's settings. Several other Questions here deal with the topic, your keywords would be "offload" and "chimney".

(27 Jul '16, 06:18) sindy