Wireshark-users: Re: [Wireshark-users] FTP - TCP Previous segment lost, TCP Dup ACK, TCP Retransm

From: Hansang Bae <hbae@xxxxxxxxxx>
Date: Thu, 06 Dec 2007 22:18:47 -0500
Reynolds, Tom wrote:[snip: moving datacenter. using ftp to test the throughput]
To simplify testing, I have removed the VPN, and now test with FTP servers at each location.

Downloads and uploads (from a DSL line) to Philadelphia. Everything is great. We get a solid 3 Mb/s download and a solid 750k upload. Downloads from Valley Forge to the DSL line are very poor, with almost double the time to download the same 10 MB file. There are frequent drops from the 3Mb/s range to about 500k. I have actually seen worse than this.

After looking at the sniffer logs, here is what I see: (middle 10 packets 8950-8959, right about the time of the bandwidth drops). Note that I am getting a ton of: TCP Previous segment lost
TCP Dup ACK
TCP Retransmission

Are these TCP drops normal for traffic over the internet?

Depends. Don't you hate those answers? Ask your ISP what their SLA is for packet loss etc. Assuming both ends are from the same provider, they should be able to meet the SLA. I *believe* you can expect up to 3% packet loss if you're going over the Internet. It's been a while since I checked the SLA from MCI/Verizon/ATT.


How many drops are acceptable?

No one can answer this. Less is better. But if your transfer time is acceptable, then whatever packet loss you are seeing is normal. For some, 0.03% is too much. Since you *are* seeing packet loss, it may benefit your servers if you enable SACK (Selective ACK). It should help you recover a bit faster. Just google for Microsoft's whitepapers on how to enable RFC-1323 settings.


How do I find out where or why packets are dropping?

Difficult to do unless you have sniffers mid way in the cloud. If ICMP is allowed, (you can ping end to end), you can try using "pathping" It will help you identify where the packet loss is occuring (in transit or at some router in the middle). Of course, if the ISP is doing control plane protection or is throttling ICMP packets, you may get erroneous results. Microsoft's pathping uses ICMP to 'stress' the routers and the links.


Are there any other free tools I can use to better track my packets through the internet?

Not really. If you own the routers at both ends, you can think about enabling Cisco's IPSla (used to be call SAA) This assumes you have Cisco routers. You can enable jitter, ping, and path probes to see how volatile your links are.

good luck