Wireshark-users: Re: [Wireshark-users] FTP - TCP Previous segment lost, TCP Dup ACK, TCP Retransm
From: "Trevor Tolk" <TTolk@xxxxxxxxxxxx>
Date: Wed, 5 Dec 2007 12:13:55 -0800
If you do a 'save as', you can tell it to save just displayed packets, selected packets, etc.  So you can create a file of just the packets you want.  I would get a sample of the good stream prior to the errors, the errors, and a sample of the stream after the errors.  Depending on how big the file is, you may zip it up prior to mailing it.
 
Also, there may be a better place to put sample captures on Wireshark.org.... I admit some ignorance to that.
 
Again, I don't think I can help :(, but I am interested in your issue.


From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Reynolds, Tom
Sent: 2007-12-05 11:59
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] FTP - TCP Previous segment lost, TCP Dup ACK,TCP Retransmission

Send the PCAP as an attachment?  The actual capture is only about 20 MB in size.

 

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Trevor Tolk
Sent: Wednesday, December 05, 2007 2:56 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] FTP - TCP Previous segment lost, TCP Dup ACK,TCP Retransmission

 

I don't think I can help, but I'm interested in your problem Tom.

 

I've seen in the forum in the past where it is requested that you send a subset of your packet capture to the forum.  Just send the packets that are in question.  Much more info can be gotten from that than your tables at the end of your email.

 


From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Reynolds, Tom
Sent: 2007-12-05 11:47
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] FTP - TCP Previous segment lost, TCP Dup ACK,TCP Retransmission

 

Hi all,

 

I am having a tough time figuring this out, so I decided to pitch it to this group.

 

I am in the process of moving my servers from one hosting company in Philadelphia to another company located in Valley Forge.  Both companies have a 10/100 Mbit/s pipe to the internet.  Our home office is in King of Prussia.

 

I get great bandwidth to and from the old company in Philadelphia, but poor speeds to the company in Valley Forge.  Downloads from Valley Forge seem ok sometimes. 

 

After swapping and reconfiguring everything at least 12 times (new Cisco 2960G switches, new ASA 5510 and 5520 firewalls), I have finally put a sniffer on the line and can’t understand what I see.

 

To simplify testing, I have removed the VPN, and now test with FTP servers at each location.

 

 

 

Downloads and uploads (from a DSL line) to Philadelphia.  Everything is great.  We get a solid 3 Mb/s download and a solid 750k upload. 

 

 

 

Downloads from Valley Forge to the DSL line are very poor, with almost double the time to download the same 10 MB file.  There are frequent drops from the 3Mb/s range to about 500k.   I have actually seen worse than this.

 

After looking at the sniffer logs, here is what I see:   (middle 10 packets 8950-8959, right about the time of the bandwidth drops). 

 

Note that I am getting a ton of: 

 

TCP Previous segment lost

TCP Dup ACK

TCP Retransmission

 

Are these TCP drops normal for traffic over the internet?

How many drops are acceptable?

How do I find out where or why packets are dropping?  

Are there any other free tools I can use to better track my packets through the internet?

 

Any help would be appreciated.

 

Thanks in advance.

 

 

No.     Time        Source                Destination           Protocol Info

   8950 80.406846   66.104.107.217        71.242.248.10         FTP-DATA [TCP Previous segment lost] FTP Data: 1260 bytes

 

Frame 8950 (1314 bytes on wire, 1314 bytes captured)

Ethernet II, Src: Cisco_e6:46:18 (00:14:f2:e6:46:18), Dst: Dell_37:c4:a6 (00:15:c5:37:c4:a6)

Internet Protocol, Src: 66.104.107.217 (66.104.107.217), Dst: 71.242.248.10 (71.242.248.10)

Transmission Control Protocol, Src Port: ftp-data (20), Dst Port: 5005 (5005), Seq: 6203105, Ack: 1, Len: 1260

FTP Data

 

No.     Time        Source                Destination           Protocol Info

   8951 80.406910   71.242.248.10         66.104.107.217        TCP      5005 > ftp-data [ACK] Seq=1 Ack=6199325 Win=65535 Len=0 SLE=6203105 SRE=6204365 SLE=6200585 SRE=6201845

 

Frame 8951 (74 bytes on wire, 74 bytes captured)

Ethernet II, Src: Dell_37:c4:a6 (00:15:c5:37:c4:a6), Dst: Cisco_e6:46:18 (00:14:f2:e6:46:18)

Internet Protocol, Src: 71.242.248.10 (71.242.248.10), Dst: 66.104.107.217 (66.104.107.217)

Transmission Control Protocol, Src Port: 5005 (5005), Dst Port: ftp-data (20), Seq: 1, Ack: 6199325, Len: 0

 

No.     Time        Source                Destination           Protocol Info

   8952 80.410308   66.104.107.217        71.242.248.10         FTP-DATA [TCP Retransmission] FTP Data: 1260 bytes

 

Frame 8952 (1314 bytes on wire, 1314 bytes captured)

Ethernet II, Src: Cisco_e6:46:18 (00:14:f2:e6:46:18), Dst: Dell_37:c4:a6 (00:15:c5:37:c4:a6)

Internet Protocol, Src: 66.104.107.217 (66.104.107.217), Dst: 71.242.248.10 (71.242.248.10)

Transmission Control Protocol, Src Port: ftp-data (20), Dst Port: 5005 (5005), Seq: 6199325, Ack: 1, Len: 1260

FTP Data

 

No.     Time        Source                Destination           Protocol Info

   8953 80.410394   71.242.248.10         66.104.107.217        TCP      5005 > ftp-data [ACK] Seq=1 Ack=6201845 Win=65535 Len=0 SLE=6203105 SRE=6204365

 

Frame 8953 (66 bytes on wire, 66 bytes captured)

Ethernet II, Src: Dell_37:c4:a6 (00:15:c5:37:c4:a6), Dst: Cisco_e6:46:18 (00:14:f2:e6:46:18)

Internet Protocol, Src: 71.242.248.10 (71.242.248.10), Dst: 66.104.107.217 (66.104.107.217)

Transmission Control Protocol, Src Port: 5005 (5005), Dst Port: ftp-data (20), Seq: 1, Ack: 6201845, Len: 0

 

No.     Time        Source                Destination           Protocol Info

   8954 80.415232   66.104.107.217        71.242.248.10         FTP-DATA [TCP Retransmission] FTP Data: 1260 bytes

 

Frame 8954 (1314 bytes on wire, 1314 bytes captured)

Ethernet II, Src: Cisco_e6:46:18 (00:14:f2:e6:46:18), Dst: Dell_37:c4:a6 (00:15:c5:37:c4:a6)

Internet Protocol, Src: 66.104.107.217 (66.104.107.217), Dst: 71.242.248.10 (71.242.248.10)

Transmission Control Protocol, Src Port: ftp-data (20), Dst Port: 5005 (5005), Seq: 6201845, Ack: 1, Len: 1260

FTP Data

 

No.     Time        Source                Destination           Protocol Info

   8955 80.415284   71.242.248.10         66.104.107.217        TCP      5005 > ftp-data [ACK] Seq=1 Ack=6204365 Win=65535 Len=0

 

Frame 8955 (54 bytes on wire, 54 bytes captured)

Ethernet II, Src: Dell_37:c4:a6 (00:15:c5:37:c4:a6), Dst: Cisco_e6:46:18 (00:14:f2:e6:46:18)

Internet Protocol, Src: 71.242.248.10 (71.242.248.10), Dst: 66.104.107.217 (66.104.107.217)

Transmission Control Protocol, Src Port: 5005 (5005), Dst Port: ftp-data (20), Seq: 1, Ack: 6204365, Len: 0

 

No.     Time        Source                Destination           Protocol Info

   8956 80.418901   66.104.107.217        71.242.248.10         FTP-DATA [TCP Previous segment lost] FTP Data: 1260 bytes

 

Frame 8956 (1314 bytes on wire, 1314 bytes captured)

Ethernet II, Src: Cisco_e6:46:18 (00:14:f2:e6:46:18), Dst: Dell_37:c4:a6 (00:15:c5:37:c4:a6)

Internet Protocol, Src: 66.104.107.217 (66.104.107.217), Dst: 71.242.248.10 (71.242.248.10)

Transmission Control Protocol, Src Port: ftp-data (20), Dst Port: 5005 (5005), Seq: 6205625, Ack: 1, Len: 1260

FTP Data

 

No.     Time        Source                Destination           Protocol Info

   8957 80.418940   71.242.248.10         66.104.107.217        TCP      [TCP Dup ACK 8955#1] 5005 > ftp-data [ACK] Seq=1 Ack=6204365 Win=65535 Len=0 SLE=6205625 SRE=6206885

 

Frame 8957 (66 bytes on wire, 66 bytes captured)

Ethernet II, Src: Dell_37:c4:a6 (00:15:c5:37:c4:a6), Dst: Cisco_e6:46:18 (00:14:f2:e6:46:18)

Internet Protocol, Src: 71.242.248.10 (71.242.248.10), Dst: 66.104.107.217 (66.104.107.217)

Transmission Control Protocol, Src Port: 5005 (5005), Dst Port: ftp-data (20), Seq: 1, Ack: 6204365, Len: 0

 

No.     Time        Source                Destination           Protocol Info

   8958 80.422630   66.104.107.217        71.242.248.10         FTP-DATA [TCP Retransmission] FTP Data: 1260 bytes

 

Frame 8958 (1314 bytes on wire, 1314 bytes captured)

Ethernet II, Src: Cisco_e6:46:18 (00:14:f2:e6:46:18), Dst: Dell_37:c4:a6 (00:15:c5:37:c4:a6)

Internet Protocol, Src: 66.104.107.217 (66.104.107.217), Dst: 71.242.248.10 (71.242.248.10)

Transmission Control Protocol, Src Port: ftp-data (20), Dst Port: 5005 (5005), Seq: 6204365, Ack: 1, Len: 1260

FTP Data

 

No.     Time        Source                Destination           Protocol Info

   8959 80.422697   71.242.248.10         66.104.107.217        TCP      5005 > ftp-data [ACK] Seq=1 Ack=6206885 Win=65535 Len=0

 

Frame 8959 (54 bytes on wire, 54 bytes captured)

Ethernet II, Src: Dell_37:c4:a6 (00:15:c5:37:c4:a6), Dst: Cisco_e6:46:18 (00:14:f2:e6:46:18)

Internet Protocol, Src: 71.242.248.10 (71.242.248.10), Dst: 66.104.107.217 (66.104.107.217)

Transmission Control Protocol, Src Port: 5005 (5005), Dst Port: ftp-data (20), Seq: 1, Ack: 6206885, Len: 0

 

 

 

 

 

 

 

Tom Reynolds

IT Manager

610.337.3600 [ext. 224]

610.337.2300 [fax]

TReynolds@xxxxxxx

RealTime Media

http://www.rtm.com/i/sig/logoCap.gif