tcp ack from remote side takes only a few microseconds over wan link
I have a question about TCP Acks. In my case i have a wireshark trace where the rtt is ~28ms and the remote side in Frame 27727 Acks Frame 27725 but the "Time since previous frame in this TCP stream" is around 22 microseconds. How can that be possible if the rtt is ~28ms?
image:
Wiki overview of Timestamps and more details from Guy.
Looks like the capture machine is not keeping up since there are "not captured" and "unseen" frames.
Looks for me like the client/SPAN had a problem during capturing, and thats why the order of the frames got mixed up and some frames got lost. In frame 27733 the client 10.61.10.2 acks the TCP segment 2921, but it's not in the capture (= two TCP segments with each 1460 bytes are missing). Same in frame 27741, but now the server 52.114.88.87 acks the TCP segment 1891 that we don't see (one TCP segment with 1440 bytes is missing). Another possible reason could be that another system like a proxy had acked the packet. But 22 microseconds is really fast. That sounds more like an loopback adapter.
According to TTL it says it should have crossed 17 Hops. The hop count to local firewall is 2 so in my opinion the firewall/proxy did not do that iam right?
Yep, you're right. Then maybe a heavy load on the client/line/switchport caused the capturing issues?