Wireshark-users: Re: [Wireshark-users] TCP previous segment lost / connection failure
From: "ronnie sahlberg" <ronniesahlberg@xxxxxxxxx>
Date: Tue, 27 Mar 2007 22:02:22 +0000
Prior to the "previous segment lost" there is a delay of ~500ms
which is a common tcp retransmission timeout.
Before this "previous segment lost" segment  there were probably an
earlier segment twice, once before the 500ms timeout and once
immediately together with the "previous segment lost" segment.
Both times this segment was lost by the network.



After this segment there is ~45 seconds where no more data is
transferred before the app timesout and FINs the connection.

During these 45 seconds  the TCP will have tried to retransmit the
missing segment many times   all of the times it was dropped by the
network.


Two common causes for this symptom where everything is "fine" for a
while and then there is one segment that just can not be pushed
through the network would be :
1, jumboframes on a non-jumboframe network. While segments are still
small everything is fine, once the sender needs to send more than fits
in a normal ethernet frame and thus sends a jumboframe  that
particular frame just can not be sent to the receiver.
This would be possible to tell if one could for example view the
sequence numbers between packets 102/103  but the sequence numbers can
not be seen.
(this can also be seen if the capture is taken on the .23 host)

2, many router and ethernet switch vendors provide quite often
semi-broken "viruschecking" of ethernet frames that just inspect bytes
in the frame blindly and this can trigger symprtoms like this.   Some
packets with a specific payload can just not be pushed through the
network.


Check that you dont have a jumboframe conflict.
Check all firewalls/viruscheckers end to end (including the .23 host)
if they are "unhappy" with the packet and thus discards it.





On 3/27/07, john.enevoldson@xxxxxxxxx <john.enevoldson@xxxxxxxxx> wrote:

Hi,

I was wondering if anyone can help us explain / interpret  the following
trace which is taken on a client
app that throws an "unable to connect" error. We see that that there
appears to be a lost segment
followed by a duplicate ack but are having trouble coupling the seq and ack
numbers for the various
packages together.



Grateful for any help.

Regards,

John Enevoldson
Email:  john.enevoldson@xxxxxxxxx