First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Can you help analyse these TCP retransmit , and DUP Acks .

Can you help me understand these TCP retransmit , and DUP Acks

https://www.cloudshark.org/captures/c... https://www.cloudshark.org/captures/b...

sharky483's avatar
1
sharky483
asked 2020-05-09 03:25:28 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Is it possible to share the files to public without a login to view them?

Chuckc's avatar Chuckc (2020-05-09 05:51:47 +0000) edit
more
  • delete

@bubbasnmp.. Done

sharky483's avatar sharky483 (2020-05-09 14:01:40 +0000) edit
more
  • delete

Looks like the capture system is doing TCP offload and passing large packets up.

smallsmtp - frame #17
largesmtp - frame #19

Can you make the capture on another system in the middle that would see the individual packets?
That would make it easier to diagnose.

Chuckc's avatar Chuckc (2020-05-09 14:58:17 +0000) edit
more
  • delete

@bubbasnmp , sure i will get the captures from something in the middle .

Just to clarify , the Data fragment byte size is what makes u think , the machine is doing TCP offload ?

sharky483's avatar sharky483 (2020-05-11 13:28:51 +0000) edit
more
  • delete

Look a little lower in the stack at the ip.len which is very large.
If you can experiment on the capture machine, it might be possible to disable offload for testing.

Chuckc's avatar Chuckc (2020-05-11 14:39:44 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

The retransmits are triggered by the DupACKs. The client thinks the server is missing a packet.

The DupACKs are comming from a third system. The first ACKs from 192.168.4.149 are comming from a system with a TTL of 123 (probably 5 hops away). The DupACKs are comming from a system with a TTL of 254 (higher TTL than the first system and probably only 2 hops away).

Loadbalancer? Firewall?

JasMan's avatar
81
JasMan
answered 2020-05-10 10:57:54 +0000, updated 2020-05-10 11:00:50 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer