tcp ack from remote side takes only a few microseconds over wan link

  • retag add tags

I have a question about TCP Acks. In my case i have a wireshark trace where the rtt is ~28ms and the remote side in Frame 27727 Acks Frame 27725 but the "Time since previous frame in this TCP stream" is around 22 microseconds. How can that be possible if the rtt is ~28ms? image:trace

fly_agaric's avatar
1
fly_agaric
asked 2020-09-19 07:18:55 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Wiki overview of Timestamps and more details from Guy.

Looks like the capture machine is not keeping up since there are "not captured" and "unseen" frames.

Chuckc's avatar Chuckc (2020-09-19 14:50:11 +0000) edit
more
  • delete

Looks for me like the client/SPAN had a problem during capturing, and thats why the order of the frames got mixed up and some frames got lost. In frame 27733 the client 10.61.10.2 acks the TCP segment 2921, but it's not in the capture (= two TCP segments with each 1460 bytes are missing). Same in frame 27741, but now the server 52.114.88.87 acks the TCP segment 1891 that we don't see (one TCP segment with 1440 bytes is missing). Another possible reason could be that another system like a proxy had acked the packet. But 22 microseconds is really fast. That sounds more like an loopback adapter.

JasMan's avatar JasMan (2020-09-19 15:29:46 +0000) edit
more
  • delete

According to TTL it says it should have crossed 17 Hops. The hop count to local firewall is 2 so in my opinion the firewall/proxy did not do that iam right?

fly_agaric's avatar fly_agaric (2020-09-19 15:50:38 +0000) edit
more
  • delete

Yep, you're right. Then maybe a heavy load on the client/line/switchport caused the capturing issues?

JasMan's avatar JasMan (2020-09-20 10:02:12 +0000) edit
more
  • delete
add a comment see more comments