I'm running wireshark to capture packets on a mac os X system and I can see TCP ACKed lost segment packets on a TCP connection to a client. is there a reason why it happens? I thought if i'm capturing on the server I will see all the packets that are sent to the client asked 06 Nov '11, 03:23  ddayan |
2 Answers:
An ACK to a lost segment means that you see an acknowledge of a packet that hasn't made it into the capture file. If you're capturing on the server it probably means that you had too much traffic going in and out for Wireshark to be able to capture it all for performance reasons. Whenever that happens you'll see ACKs to lost segments, because it was there but you didn't capture the segment. Take a look at the status bar after stopping the capture; there should be a "Drop" counter that tells you how many packets were lost due to insufficient capture performance. If it is anything above zero your capture device is too slow to get it all. Try capturing with dumpcap or other tools that do not have the overhead of Wireshark displaying packets in real time (or turn of as much of that as possible: displaying in real time, color coding, life statistics etc). answered 06 Nov '11, 08:32  Jasper ♦♦ |
Just to make sure that we are not overlooking the obvious: Is your server using exactly one network card? If you have more than one NIC the packets might be received over one interface and the ACKs are transmitted over another card. answered 07 Nov '11, 05:23  packethunter yes only one NIC (it's a laptop) (07 Nov '11, 06:16) ddayan |
i tried to use tcpdump -nnvvXSs 1514 -i en0 -w good_con_7_11 I receive: 0 packets captured 0 packets received by filter 0 packets dropped by kernel
I still get ACK lost segments (although now I receive smaller amount), anything else that I could do?
Ok, in that case you're probably capturing at a SPAN port, which is slammed shut with packets and starts dropping on the SPAN port itself. The only thing you can do is span the data to a faster port (for example from 100MBit to 1G or 1G to 10G), but that is often not possible (especially for the 1->10G). Otherwise you need to reduce the amount of packets going to the SPAN port, or go for a TAP, but that usually requires a FDX capture solution unless you deploy an aggregation TAP (which might drop, once again).