This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP ACKed lost segment problem

0

Hi Guys,

i am using wireshark check an issue we have with slow connectivity to our server and sometimes server have to restart. I am see a lot of the following lines in the capture and i wondered if anyone could explain what they are:

39 TCP src > 38378 [PSH, ACK] Seq=1786 Ack=1726 Win=32768 Len=119

40 TCP 38378 > src [ACK] Seq=1726 Ack=1905 Win=54 Len=0

41 TCP [TCP ACKed lost segment] src > 38378 [PSH, ACK] Seq=1905 Ack=1841 Win=32768 Len=119

42 TCP [TCP ACKed lost segment] src > 38378 [PSH, ACK] Seq=2024 Ack=1956 Win=32768 Len=119

43 TCP [TCP ACKed lost segment] src > 38378 [PSH, ACK] Seq=2143 Ack=2071 Win=32768 Len=119

44 TCP [TCP ACKed lost segment] src > 38378 [PSH, ACK] Seq=2262 Ack=2186 Win=32768 Len=119

Best Regards

Spyros

asked 24 Aug '12, 00:10

kaito7's gravatar image

kaito7
1111
accept rate: 0%


One Answer:

0

"ACKed lost segment" means that Wireshark has found a packet acknowledging another packet it hasn't seen. Kind of a "I know the packet must have been there but I didn't see it". If that happens it usually means that you either captured on a link that didn't transport all packets (for example when there is asynchronous routing or an etherchannel where you only sniffed on one leg), or your capture device was too slow to record all packets in time that arrived at the NIC.

answered 24 Aug '12, 02:12

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

and sometimes server have to restart

additionally to what Jasper said: If the servers have to restart, there could be a problem with IP stack or NIC driver of that server.

(24 Aug '12, 02:37) Kurt Knochner ♦

Ping google and check if you have packet loss, I,e..

"ping google.com -t"

(24 Aug '12, 12:42) Harsha