Wireshark-users: Re: [Wireshark-users] Dropped apckets/TCP Connection Loss

From: Stephen Fisher <stephentfisher@xxxxxxxxx>
Date: Wed, 23 Aug 2006 11:20:07 -0700
On Wed, Aug 23, 2006 at 10:37:06AM -0400, Adam Mattina wrote:

> Problem 
> Web pages are coming up either 
> a) perfectly 
> b) half mangled with some images and screwed up tables or 
> c) not at all 

The last time I saw this problem, there was a MTU problem with the link.  
There was an 802.1q vlan trunk (which extends the MTU to 1522 bytes) 
trying to run across an Ethernet bridge over DS3 that only supported an 
MTU of 1518 bytes.  Only larger packets, such ones containing images, 
were dropped because they were 1522 bytes long.  You said that your link 
is metro Ethernet.  Perhaps it is a similar issue?

> I realize that retransmissions are normal, and this is what a normal 
> loss/retransmit should look like(taken from my home and office 
> connection:

That capture shows dropped packets being acknowledged and then the 
remote end sending a TCP reset (RST) to force the connection to close.  
Perhaps putting the actual capture file on that site for us to look at 
would help.

> Notice the 'Continuation packets' in the good packet loss image. I 
> don't get those on the problem network.

In my problem example above, the continuation packets would have the 
images and be at the MTU size.

However, all of those duplicate acks are not normal.  You may see these 
in Wireshark/Ethereal if your Windows machine has multiple drivers tied 
to the network card such as for VPNs.  On the other hand, the duplicate 
acks are not really happening on the network so it won't cause any 
problems.  Winpcap just sees it multiple times and passes it to 

 CCIE #15431