Wireshark-users: Re: [Wireshark-users] Terminal Server traffic

From: Hansang Bae <hbae@xxxxxxxxxx>
Date: Tue, 11 Mar 2008 20:13:55 -0400
Albert Jurado wrote:
I've looked at the captures and there's no reason to believe that the packets are duplicates.
>I've filtered the capture to show the communication between the terminal server

and the SQL server. When I apply this filter every other line in the wireshark display

shows the "This frame is a (suspected) out-of-order segment".
>
> This much fragmentation just doesn't seem normal. Can someone please shed some light on this.. >There's a part of me that thinks I'm chasing a ghost and that the problem is related to

the way wireshark captures terminal server communication.


It's trivial to see if in fact they are out of order. Just follow the tcp sequence numbers to see if they are out of order. You can't really have that many out of order packets unless a few specific conditions are met (these are corner/academic cases).

1) You have a redundant network path and one path is slightly slower than the other. *AND* someone turned on per-packet-cef or is process switching the traffic causing per-packet load balancing to occur.

2) Your span (monitor) session is watching two interfaces and one is more overloaded than the other. So the packets were never out of order but they *got* to the wireshark machine out of order. But for it to be off by every other packet is next to impossible.

If you post a small sample (10 packets is sufficient) we may be able to assist more. Please keep them in the pcap format.

One big Blue's Clues you can check for. Are the IP ID field same on the two packets? Come to think of it. Wireshark would tag them as "suspected retransmission" as opposed to out of order packets.

Now I would really like to see the pcap data. You don't have to upload the entire packet, you can chop it at 96 bytes or so with editcap.

--

Thanks,
Hansang