Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Most black lines are duos of [TCP ACKed unseen segment] and [TCP Spurious Retransmission]. The reason for these lines to be marked black is that Wireshark sees the ACK to the TCP segment first and then the next packet in the capture file is the actual TCP segment that was ACKed.

In short: the frames are out-of-order in the capture file.

What was your capture setup? Did you use a span-port? A TAP? Or were you capturing on one of the endpoints?

As for the DUP-ACKs, there are about 40 lost packets that trigger retransmissions, but each lost packet generates quite a few DUP-ACKs, as there are already more packets on the wire before the retransmission is sent. Each of these packets will generate a DUP-ACK.