Wireshark-users: Re: [Wireshark-users] SYN repeated retransmission despite "SYN ACK" following in

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Fri, 23 Apr 2010 21:45:30 +0200
On 04/23/2010 09:21 PM, Jake Peavy wrote:
On Fri, Apr 23, 2010 at 10:14 AM, Jeff Bruns <jeff.bruns@xxxxxxxxx
<mailto:jeff.bruns@xxxxxxxxx>> wrote:

    Martin-
    Thank you for your reply, your information was very helpful. I've
    attached the wireshark screenshot, hopefully it helps the situation
    to make more sense.

    Regards-
    Jeff


    On Thu, Apr 22, 2010 at 9:09 PM, Martin Visser
    <martinvisser99@xxxxxxxxx <mailto:martinvisser99@xxxxxxxxx>> wrote:

        Jeff,

        None of you links seem to be correct at all, only pointing to
        the top level forum.

        As far as seeing SYN attempts at increasing intervals, this is
        pretty normal if you have connectivity issues. The response
        should always be a SYN+ACK or a RST, Can't think of why a
        half-open connection on the printer would respond to another SYN
        with just an ACK.

        Bottlenecks don't usually reveal  themselves unless they are
        stressed. Either you need to test the level that the bottlenecks
        appears using your native applications, or traffic generator
        tools such as iperf. By watching the amount of traffic that can
        pass through the bottleneck (measured by whatever means such as
        the network equipments stats, the load generator tool or say
        Wireshark) you can determine at what point it becomes significant.

        Regards, Martin

        MartinVisser99@xxxxxxxxx <mailto:MartinVisser99@xxxxxxxxx>


        On Fri, Apr 23, 2010 at 3:33 AM, Jeff Bruns
        <jeff.bruns@xxxxxxxxx <mailto:jeff.bruns@xxxxxxxxx>> wrote:

            Greetings-
            I previously posted on the Devshed forums but haven't
            received any response. Hopefully the wireshark community
            might be able to help...

            I wrote a perl program which acts as a network sniffer,
            intercepting data sent to a networked laser printer
            <http://forums.devshed.com/#>. The resulting data, once
            parsed, is formatted and written to a serial port which has
            connected a series of scrolling LED signboards. I've
            recently been experiencing some issues with my network
            traffic and I was hoping to get some advice on how to proceed.

            I'm running Windows XP <http://forums.devshed.com/#>
            connected to a 10Mbps wired LAN which is part of a larger
            VPN. I've been using wireshark in my effort to better
            understand my recent network issues.

            The following scenario was an attempt to send data to our
            networked laser printer <http://forums.devshed.com/#>. I was
            able to capture the corresponding network traffic with
            wireshark. I've attached a snapshot of the wireshark traffic.

            My first question, which I'm under the assumption is out of
            my control, has to do with the 5 repeated SYN packets,
            despite the SYN, ACK that was sent immediately following the
            first SYN. I'm thinking maybe the sender failed to receive
            the SYN, ACK and as a result resent the SYN packet?? That
            being the case, why is the receiver replying with repeated
            ACK instead of SYN, ACK?

            My next question has to do with the timeframe between each
            of the following SYN packets. It would appear that the time
            <http://forums.devshed.com/#> doubles after each sent SYN
            packet. Given the precision of the time intervals I would
            assume it has something to do with the retransmission timer
            or persistence timer, although I'm curious as to why the
            interval doubles after each attempt.

            Information sent to our networked printer is time sensitive,
            and as you can see from the timestamps shown throughout the
            network traffic it takes almost 3 minutes to successfully
            transmit the data <http://forums.devshed.com/#>.

            My questions are:
            1- Is there anything I can do to prevent the redundant SYN
            attempts in the future?
            2- Is there a way to decrease the timeout so that in the
            event of future occurrences, the interval between SYN
            attempts is expedited?
            3- In the event data loss <http://forums.devshed.com/#> is
            suspected due to network congestion or quality, are there
            any diagnostics I could perform to identify bottlenecks?

            Below is a link to a wireshark screenshot showing the
            packets within the message. It being my first time posing to
            the list, I'm not sure if I'm permitted to include
            attachments, so the screenshot is a link to the devshed post
            attachment. If it would be helpful and I'm permitted I'd be
            happy to attach the wireshark pcap dump file.

            Any help would be greatly appreciated.



http://blog.ksplice.com/2010/04/dating-is-rough-at-the-transport-layer/


Brilliant :))

Thanks,
Jaap