Hi Not too sure if this capture is legitimate or is not capturing all the traffic (although the capture say no packets were dropped). For about 3 minutes the server I am monitoring (not via span port but by running dumpcap on the server) is only sending traffic but not receiving any. It continually displays "TCP Acked unseen segment" in the capture in the info summary from the server. Any ideas what would cause this? asked 13 Apr '16, 03:59  bbfluff showing 5 of 6 show 1 more comments |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
what OS is the server running? (on Windows, many cases where a particular type/direction of traffic is missing in the capture have been discussed here, caused by drivers installed by various security or VPN software)
doesn't the server happen to have more than one NIC so that the incoming traffic could be coming through the other NIC than the one at which you capture?
TCP Acked unseen segmentsounds like the real traffic is bidirectional (if the ack number in these packets grows).It's running windows server 2012 R2 standard. There are 2 teamed NIC cards which I'm capturing from and a replication NIC card with a different subnet address that has no issues. This server is part of an e-mail cluster. The capture usually runs fine. We have a very intermittent issue where the whole of e-mail hangs. I managed to capture the 6 servers traffic during the slow running/hanging and all servers seemed to be running fine except for one. The traffic dropped by about 99% and was the one way traffic as described above. NB - the ACK number in the TCP Acked unseen segment does grow Many thanks
The way you put it (the capture usually runs fine, but now you've exceptionally had a one-way traffic case) I could imagine there is a relationship between the original issue you're tracking and the capturing issue. As you talk of teaming, I assume there is a manufacturer's (let me guess: Broadcom's) proprietary teaming driver, and the interaction between it and the WinPcap's
nfsmay be complex too.I was recently dealing with Npcap vs. WinPcap difference, where WinPcap can access members NICs of a software bridge whereas Npcap can only access the virtual NIC "connected" to the bridge.
Do you use WinPcap or Npcap?
Do you capture at the virtual NIC representing the team or at one of team members?
If Wireshark/tshark/dumpcap offers you the two team members as NICs available for capture, could you capture at both simultaneously?
If it offers only the virtual NIC representing the team, can you disable/disconnect one of the team members and capture again?
The teaming driver is microsoft network adapter multiplexor. I use WinPcap I have been monitoring the virtual NIC but I do have the option of monitoring both physical NIC's. To summarise do you consider that the monitoring of 2 physical NICs would be the better option?
I'd rather put it like "trying to capture on both physical NICs simultaneously may be your last chance before having to mirror the traffic of both these NICs on the switch(es) and using another machine to capture the mirrored traffic".
But please do also have a look at similar questions around here, the keywords would be "tcp offloading", "chimney", "antivirus / VPN / firewall" - all these may affect whether WinPcap gets everything or not. I could e. g. imagine that the NIC driver settings regarding TCP offloading on this machine differ from those used on the other ones.
Thanks very much for all your help Sindy