Wireshark-users: Re: [Wireshark-users] Question on interpreting TCP Expert Info

From: Hansang Bae <hbae@xxxxxxxxxx>
Date: Thu, 04 Jan 2007 21:10:20 -0500

At 04:28 PM 12/29/2006, Small, James wrote:

Hello, I am using Wireshark to look at mail traffic (SMTP/POP3). When I look at the trace I see lots of the following: Previous Segment Lost Retransmission (suspected) Duplicate ACKs I'm suspecting that this is exacerbated by not having enough Internet bandwidth. My question is, how do I interpret this? Does this show that I don't have enough bandwidth? Does it mean there needs to be tuning? I realize this is not an easy question and would be very happy even with a go ready book ABC answer - just as long as once I read book ABC I would know how to interpret the data. Any and all advice greatly appreciated.

First thing I would check is to make sure you don't have a duplex mismatch. Chances are, you are using some type of a cable modem router. These devices for the most part auto-negotiate. You don't (typically) have much of a choice in the matter.

So it's imperative that your PC's NIC is in auto-negotiate mode.

There really aren't to many books on using protocol analyzers. The reason is that to TRULY understand protocol analysis, you need in depth understanding of the protocols itself. Then, you need a lot of practice reading trace files as this is more art then science.

hsb