Wireshark · Wireshark-users: Re: [Wireshark-users] Packets not captured, tcp acking lost segments. Large packets

["Michael Lynch" <michaellynch511@xxxxxxxxx>]

Thanks Martin

I read up on LSO. It explains how these >4K packets are appearing

Yes I am running Wireshark on the application server. I had a hard time 
installing it on my switch!! No CD-rom drive!! :)
(I am not sure what you mean by 'Server Switch')

But why is MS Net Mon seeing these large packets?

Wireshark is providing misleading information and I don't think i'm the only 
one that is suffering major confusion.
I think my self lucky as I have witnessed the packets in NetMon.
Most users on the net seem to have presumed that packets are being lost!

> Wireshark will see the large segments go out.

But its not...?

> You might want to capture on your server switch rather than the server
> to avoid seeing this.

I don't want to avoid packets, I want to see the packets!



Cheers
Michael.



----- Original Message ----- 
From: "Martin Visser" <martinvisser99@xxxxxxxxx>
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Sent: Friday, January 07, 2011 1:46 PM
Subject: Re: [Wireshark-users] Packets not captured, tcp acking lost 
segments. Large packets


> It sounds like you are capturing traffic on the server rather than the
> wire. If your server NIC and driver does Large Segment Offload, the
> segmentation is done by the NIC, which allows the transfer from your
> kernel to the NIC do be done in larger chunks, meaning a more
> efficient transfer. Wireshark will see the large segments go out.
>
> You might want to capture on your server switch rather than the server
> to avoid seeing this.
>
> Regards, Martin
>
> MartinVisser99@xxxxxxxxx
>
>
>
> On 7 January 2011 11:25, Michael Lynch <michaellynch511@xxxxxxxxx> wrote:
> > Hi All
> >
> > I think I've found something everyone may be interested in...
> >
> > In wireshark I am monitoring traffic of a SOAP application.
> >
> > Upon transfer of a BLOB, wire shark is showing many "Tcp ACKed lost 
> > segment"
> > packets.
> > On top of this there is no evidence of any of the SOAP data, other than 
> > the
> > initial header.
> >
> > Now I've search for this lost segment business, and no forums really seem 
> > to
> > have much of a solution other than perhaps disabling sequence analysis.
> >
> > However I think I have found the problem, but I have no understanding of 
> > the
> > whats and whys.
> >
> > In Microsoft Net Mon, the data packets ARE THERE!!!
> >
> > i.e
> > Sent packet: Captured Frame Length = 4434, Media Type = Ethernet...
> > Continuaion to packet #76.
> > Received packet: Ack
> >
> > The received packet is the only packet that shows up in Wireshark! (I 
> > have
> > cross referenced the Packet ID)
> > Wireshark is NOT COLLECTING LARGE PACKETS!!
> >
> > I have no idea how packets THAT LARGE got onto the wire IN THE FIRST 
> > PLACE!!
> >
> > What is going on??!! :)
> >
> > Cheers
> > Michael
> > ___________________________________________________________________________
> > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> > Archives: http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe