Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Duplicate ACK

From: "EDWARD HILL" <EHill@xxxxxxxxx>
Date: Fri, 6 Mar 2009 16:52:35 -0500
Abhik,
 
Thanks for your help. Can you explain one more problem for me. I was sent some captures from one of my users that is having a problem with an FTP. When he did the first capture it was a VLAN span on a Cisco switch. I see hundreds of dup acks and TCP out-of-order packets. When I apply a display filter I see 2 of everything and the second one is always an error frame.
 
For example - if it is a TCP ack the first frame is ok the second is identical (same source and dest) but marked as a dup ack.
if it is a FTP frame the second one is marked as a out-of-order.
 
If we span just the port and not the VLAN we do not see any of these error packets.
Can you help me understand this problem.
 
Thanks
Ed


From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Abhik Sarkar
Sent: Wednesday, March 04, 2009 4:32 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Duplicate ACK

Hi Edward,

Though it might not apply to your case, perhaps you want to have a look at this:
http://www.wireshark.org/lists/wireshark-users/200901/msg00032.html

I have seen the same behavior if the system uses bonded interfaces and the interface "any" is used for capturing (assuming Linux is used).

If this does apply, then you can simply use "editcap -d" on the capture file to get rid of the duplicate acks.

HTH
Abhik.

On Wed, Mar 4, 2009 at 12:17 AM, EDWARD HILL <EHill@xxxxxxxxx> wrote:
 
I took a capture on my network between the firewall and the app server. I have been seeing a lot of duplicate acks. But the duplicate acks never go past one and they are always from the firewall. It seems like the firewall is just trying to catch up to its buffer. I never see fast retransmissions or retransmissions. How many duplicate acks in a period of time is to much?
 
Ed

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe