Wireshark-users: Re: [Wireshark-users] Question about "TCP previous segment lost" in LAN

From: Hansang Bae <hbae@xxxxxxxxxx>
Date: Wed, 18 Jun 2008 20:41:26 -0400

Xu nanxuan wrote:
> I set up a LAN as the test Environment, including one FTP server and one 
> client and no other net conmmunication resources(So I think it should be 
> a "clean" net env.).However, when I download a file from the server, 
> there are still lots of packets which info are "TCP previous segment 
> lost". So:
>  
> 1. What's the reason about this?
> 2. I also find an interesing phenomenon: the "Tcp previous segment lost" 
> packet appears about every 100ms (Both the server and client are Windows 
> OS). Is it just a coincidence or it's kindof necessary thing that 
> conforms to some net protocals and regulars?


It's possible that you're ftp environment is "too clean."  That is,
packets are coming in so fast that the capture can't keep up.

#2 bothers me a little bit.  80% of protocol analysis is looking for
patterns.  The 100ms timer can be associated with with some delayed ack
timers, but you shouldn't have that in a bulk transfer (no need for
delayed acks since you have so many packets flying around).  Is it
possible that these previous packets are not really missing?  If the
packet arrives out of order, (1,2,7,8,9,3,4,5,6) Wireshark will let you
know that some "previous may be missing"  but it's just out out of
order.  Can you look at the sequence numbers to see if you see any
duplicate ack's triggering a retransmission?

Also, make sure you don't have a duplex mismatch.


-- 

Thanks,
Hansang