wireshark - Understanding [TCP ACKed unseen segment] [TCP Previous segment not captured] -
we doing load testing on our servers , i'm using tshark capture data pcap file using wireshark gui see errors or warnings showing going analyze -> expert info pcap loaded in..
i'm seeing various things i'm not sure or not understand yet..
under warnings have: 779 warnings tcp: acked segment wasn't captured (common @ capture start) 446 tcp: previous segment not captured (common @ capture start)
an example : 40292 0.000 xxx xxx tcp 90 [tcp acked unseen segment] [tcp previous segment not captured] 11210 > 37586 [psh, ack] seq=3812 ack=28611 win=768 len=24 tsval=199317872 tsecr=4506547
we ran pcap file though nice command creates command line column of data
command
tshark -i 1 -w file.pcap -c 500000
basically saw few things in tcp.analysis.lost_segment column not many..\
anyone enlighten might going on? tshark not able keep writing data, other issue? false positive?
that may false positive. warning message says, common capture start in middle of tcp session. in cases not have information. if missing acks time start looking upstream host disappearing. possible tshark can not keep data , dropping metrics. @ end of capture tell if "kernel dropped packet" , how many. default tshark disables dns lookup, tcpdump not. if use tcpdump need pass in "-n" switch. if having disk io issue can write memory /dev/shm. careful because if captures large can cause machine start swapping.
my bet have long running tcp sessions , when start capture missing parts of tcp session due that. having said that, here of things have seen cause duplicate/missing acks.
- switches - (very unlikely in sick state)
- routers - more switches, not much
- firewall - more routers. things here resource exhaustion (license, cpu, etc)
- client side filtering software - antivirus, malware detection etc.
Comments
Post a Comment