Wireshark-users: Re: [Wireshark-users] Dropped apckets/TCP Connection Loss

From: "Adam Mattina" <amattina@xxxxxxxxxxxxxxx>
Date: Thu, 24 Aug 2006 10:19:56 -0400
I just got a message back from our provider...

"1) Interface MTU at 1500 is fine.  There is no VLAN tagging occurring
between your interface and mine, so MTU issues here are moot.

2) 10MB, Full-duplex

As a general FYI, 95% of our reported throughput/latency issues are
fixed when configs related to #2 are corrected.
Let us know if we can be of further assistance."

These settings are correct on our device and are also correct on the
previous device that was on this link(which had no problems).  Someone
suggested that there may be an issue with the 'inspect' rules on the

They are:
ip inspect name HOST-FW ftp
ip inspect name HOST-FW tcp timeout 3600
ip inspect name HOST-FW udp timeout 15

Here is a link to the capture:

Let me know what you think.

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Stephen
Sent: Wednesday, August 23, 2006 2:20 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Dropped apckets/TCP Connection Loss

On Wed, Aug 23, 2006 at 10:37:06AM -0400, Adam Mattina wrote:

> Problem 
> Web pages are coming up either 
> a) perfectly 
> b) half mangled with some images and screwed up tables or 
> c) not at all 

The last time I saw this problem, there was a MTU problem with the link.

There was an 802.1q vlan trunk (which extends the MTU to 1522 bytes) 
trying to run across an Ethernet bridge over DS3 that only supported an 
MTU of 1518 bytes.  Only larger packets, such ones containing images, 
were dropped because they were 1522 bytes long.  You said that your link

is metro Ethernet.  Perhaps it is a similar issue?

> I realize that retransmissions are normal, and this is what a normal 
> loss/retransmit should look like(taken from my home and office 
> connection:

That capture shows dropped packets being acknowledged and then the 
remote end sending a TCP reset (RST) to force the connection to close.  
Perhaps putting the actual capture file on that site for us to look at 
would help.

> Notice the 'Continuation packets' in the good packet loss image. I 
> don't get those on the problem network.

In my problem example above, the continuation packets would have the 
images and be at the MTU size.

However, all of those duplicate acks are not normal.  You may see these 
in Wireshark/Ethereal if your Windows machine has multiple drivers tied 
to the network card such as for VPNs.  On the other hand, the duplicate 
acks are not really happening on the network so it won't cause any 
problems.  Winpcap just sees it multiple times and passes it to 

 CCIE #15431

Wireshark-users mailing list