Ethereal-users: Re: [Ethereal-users] traffic analysis, help please

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Sat, 25 Dec 2004 07:17:30 +1100
"Previous Segment Lost" menas just that: the previous segments was
missing from the capture.

Was this segment immediately ACKed by the other side?
I.e. was there an ACK coming back reasonably soon after this segment
that ACKed what was marked as the "next sequence number"  for the
"prev segm lost" packet or beyond that number ?
If so,   it is very likely that the packet did go across the weire but
it was just missing from the capture.

Or,

Are there DupACKs and is there sometime later a TCP Retransmission
with a sequence number that is prior to the one in the "prev segment
lost" packet?
If so it the packet was probably lost.

Or,

Is there an OutOfOrder segment just immediately after the previous segment lost?
If so it is probably just packet reordering in the network  which is normal.



Keep in mind,   packetloss in the network is normal and can not be eliminated.
In fact  due to the way TCP works   TCP must deliberately create
packetloss in order to be able to optimize throughput.


If only a few packets are missing and retransmitted  then this is
normal and expected.
This is ethernet and tcp/ip   it is supposed to be lossy.




On Fri, 24 Dec 2004 06:37:34 -0800, Brian Davidson <briankd@xxxxxxxxx> wrote:
> Okay, I see that a TCP Packet was lost, but I guess I want a fuller definition of the word "lost".  Yes, the packet might actually not be there.  Beyond that, how likely is it that the traffic was so heavy on the line that Ethereal did not have resources to capture and save it?  I need to know if "TCP Previous Segment Lost" means absolutely that it was missing, rather than "slipped past while Ethereal was busy".  Is there some other indicater in the capture file that traffic volume got high enough to affect the ability to record?
> 
> I'll next ask this question of Cisco.  Any idea what their answer will be?
> 
> Thanks,   Brian
> 
> On Thu, 26 Aug 2004 17:08:24 +1000, ronnie wrote:
> >
> > They more than likely mean that you have packetloss somewhere on the
> > path between the two hosts.
> >
> > So that TCP needs to retransmit the packets.
> > 1, is an indication of TCP retransmitting a previously dropped packet.
> > 2, is an indication that one or more packet prior to this one in the
> > sequence number space was lost.
> >
> >
> > On Wed, 25 Aug 2004 11:21:03 -0500, Neil  wrote:
> > > Hey guys,
> > >
> > > I'm trying to understand traffic. I am seeing the following in Ethereal. Can
> > > someone help me understand what those traffic mean?
> > >
> > > 1. TCP Retransmission
> > > 2. TCP Previous Segment Lost
> > >
> > > Thanks,
> > >
> > > Neil
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>