This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP ACKed lost segment on OS X server

0

I'm running wireshark to capture packets on a mac os X system and I can see TCP ACKed lost segment packets on a TCP connection to a client. is there a reason why it happens? I thought if i'm capturing on the server I will see all the packets that are sent to the client

asked 06 Nov '11, 03:23

ddayan's gravatar image

ddayan
41151720
accept rate: 0%


2 Answers:

0

An ACK to a lost segment means that you see an acknowledge of a packet that hasn't made it into the capture file. If you're capturing on the server it probably means that you had too much traffic going in and out for Wireshark to be able to capture it all for performance reasons. Whenever that happens you'll see ACKs to lost segments, because it was there but you didn't capture the segment.

Take a look at the status bar after stopping the capture; there should be a "Drop" counter that tells you how many packets were lost due to insufficient capture performance. If it is anything above zero your capture device is too slow to get it all.

Try capturing with dumpcap or other tools that do not have the overhead of Wireshark displaying packets in real time (or turn of as much of that as possible: displaying in real time, color coding, life statistics etc).

answered 06 Nov '11, 08:32

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

i tried to use tcpdump -nnvvXSs 1514 -i en0 -w good_con_7_11 I receive: 0 packets captured 0 packets received by filter 0 packets dropped by kernel

I still get ACK lost segments (although now I receive smaller amount), anything else that I could do?

(07 Nov '11, 04:20) ddayan

Ok, in that case you're probably capturing at a SPAN port, which is slammed shut with packets and starts dropping on the SPAN port itself. The only thing you can do is span the data to a faster port (for example from 100MBit to 1G or 1G to 10G), but that is often not possible (especially for the 1->10G). Otherwise you need to reduce the amount of packets going to the SPAN port, or go for a TAP, but that usually requires a FDX capture solution unless you deploy an aggregation TAP (which might drop, once again).

(07 Nov '11, 04:57) Jasper ♦♦

0

Just to make sure that we are not overlooking the obvious:

Is your server using exactly one network card?

If you have more than one NIC the packets might be received over one interface and the ACKs are transmitted over another card.

answered 07 Nov '11, 05:23

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

yes only one NIC (it's a laptop)

(07 Nov '11, 06:16) ddayan