This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have problems with transfers between a Lotus Notes client (192.168.1.11) and server (192.168.2.21). I see some ACKed unseen segments, retransmissions, duplicate ACKs etc and after a while the transfer goes down. Any ideas why this might be?

https://www.cloudshark.org/captures/b59f824f3caf

Appreciate any feedback that can help me find the problem :-)

asked 30 Mar '17, 23:30

cepheidlight's gravatar image

cepheidlight
26227
accept rate: 0%

The ACKed unseen segments is an indice that you have not captured those packets. But there RST packets, those could be part of the problem. But it is hard to tell why they were sent, maybe they are application releated.

(31 Mar '17, 12:30) Christian_R

The trace shows IP fragmented packets arriving at the trace point. The ip.len of those arriving packets is 1420 bytes so we know this is the bottleneck link's MTU size. As the following fragments do not show up at the trace point , and probably won't make it to the destination - this will certainly cause trouble.

The inbound SYN_ACK's MSS is set to 1400 indicating a (FW/VPN) device has adjusted the original MSS from 1460 to 1400. Unfortunately this was not enough to avoid fragmentation. a reduction to 1380 bytes would have been required to avoid fragmentation.

If fixing this device is not in your scope you can add a host route and reduce the MTU size to 1420 to circumvent this problem.

Regards Matthias .

permanent link

answered 02 Apr '17, 11:19

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

There are many packets that were on the wire but not captured by your sniffer. Those are the "unseen" segments and they do not affect any real life problem that you may have. About 64 KB of data was missing in this way.

Here is the order of events at the end of the TCP connections in this trace file (using the connection with client port 50310 as the example):

  • Packet flow runs normally and data packets are sent in both directions.
  • All client packets up to #172 are ACKed by the server.
  • Client packet #174 contains 54 bytes of data - but we never see a server ACK for it. [Could the server's ACK have been lost in the network?]
  • After a 300 ms RTO, the client retransmits the #174 data in #175.
  • One RTT after that, we get a Duplicate Selective ACK (D-SACK) from the server informing us that it had already received #174. [Again suggesting that the server's ACK was lost].
  • This D-SACK is also a normal ACK for the #174 data, so everything should be OK now.
  • One minute later, the client sends a Final, #177. [After a 60 second timeout?]
  • At the same time, the client begins a new TCP connection with a SYN, #178.
  • Also at the exact same time (not one RTT later), we receive a Final (#179) from the server. [It must also have a 60 second timeout?]
  • The client immediately ACKs the server's Final (#180), but we never see a server ACK to the client's Final. [Could that also have been lost in the network?]
  • After another 2 minutes (and continued activity on the new connections), the client sends a Reset (#218).

It would appear that your throughput is being affected by those regular 60 second gaps, which are caused by those timeouts before the client's Final. The connection closure mechanism is not performed correctly from the client's viewpoint, causing it to issue the Reset, but we have a new connection operating during this period and so flow isn't affected. It could be that some of the server's ACK packets are being lost. However, there are no indications of any of the server's data packets being lost.

Could it be possible that your client doesn't properly understand D-SACKs? Once it has received one, it goes into limbo until issuing the Final?

You could test this by disabling the Selective ACK capability at either your client or server (only need to disable at one end).

Without SACK support, the D-SACKs should become ordinary ACKs and may allow your client to continue the flow on the original TCP connection. You'll still suffer the 300ms RTO, but that's better than the additional 60 second timeouts to the Finals.

Google it to find the relevant Registry settings for your Windows client.

Another thing you could try is either:

  • Decreasing your server's Delayed-ACK time (so that it is lower than the client's RTO).
  • Increasing your client's Retransmission Timeout value (to be longer than the server's Delayed-ACK timer).
permanent link

answered 01 Apr '17, 23:04

Philst's gravatar image

Philst
4311616
accept rate: 27%

edited 02 Apr '17, 05:59

I think there is a problem with wireshark's calculation of relative sequence numbers. Packet Numbver 16 shows the 'real' sequence number instead of the relative one. This is causing the 'previous segment not captured' messages

(02 Apr '17, 00:05) mrEEde

There really are lots of packets not captured by the sniffer @mrEEde. I also used a commercial packet analysis tool to examine this trace file.

(02 Apr '17, 06:01) Philst
1

Wireshark makes a mess of the relative sequence numbers in packet 16 because the packet is marked as an IP fragment and the code that adjusts sequence numbers to be relative from the sequence base (SYN or first packet in the stream) is not run on a fragmented packet. I've raised a Bugzilla item for this, bug 13550.

(02 Apr '17, 09:07) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×104
×10
×2
×1
×1

question asked: 30 Mar '17, 23:30

question was seen: 1,093 times

last updated: 02 Apr '17, 11:19

p​o​w​e​r​e​d by O​S​Q​A