Forum Discussion

kridsana's avatar
kridsana
Icon for Cirrocumulus rankCirrocumulus
Jan 18, 2013

TCP previous segment lost

From this tcpdump

 

 

12.12.12.12 is ip client , 100.100.100.13 is ip Virtual server

 

 

12.12.12.12 100.100.100.13 TCP 66 4204 > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1

 

100.100.100.13 12.12.12.12 TCP 66 http > 4204 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 SACK_PERM=1

 

12.12.12.12 100.100.100.13 TCP 64 4204 > http [ACK] Seq=1 Ack=1 Win=65535 Len=0

 

12.12.12.12 100.100.100.13 HTTP 124 POST /WSCDS/services/WSCDS?wsdl HTTP/1.1 [Packet size limited during capture]

 

12.12.12.12 100.100.100.13 HTTP 124 [TCP Previous segment lost] Continuation or non-HTTP traffic[Packet size limited during capture]

 

100.100.100.13 12.12.12.12 TCP 60 [TCP ACKed lost segment] http > 4204 [ACK] Seq=1 Ack=2049 Win=6428 Len=0

 

12.12.12.12 100.100.100.13 HTTP 124 Continuation or non-HTTP traffic[Packet size limited during capture]

 

100.100.100.13 12.12.12.12 TCP 60 [TCP ACKed lost segment] http > 4204 [ACK] Seq=1 Ack=2479 Win=6858 Len=0

 

 

what the meaning and what cause of TCP Previous segment lost ?

 

 

thank you

 

5 Replies

  • what the meaning and what cause of TCP Previous segment lost ?TCP Analyze Sequence Numbers

     

    http://wiki.wireshark.org/TCP_Analyze_Sequence_Numbers
  • yeah ,and from tcpdump above. Problem is shown TCP previous segment lost but not retransmit.

     

    can i send you tcpdump file or would you see it in websupport?
  • giltjr's avatar
    giltjr
    Icon for Nimbostratus rankNimbostratus
    Was this at the beginning/start of a capture? Wireshark will mark a segment as missing if it receives a ACK for something it did not see. This is a common occurrence when first staring a tcpdump.

     

     

    Packet is sent

     

    tcpdump is started

     

    ACK is seen.
  • Was this at the beginning/start of a capture? Wireshark will mark a segment as missing if it receives a ACK for something it did not see. This is a common occurrence when first staring a tcpdump.

     

     

     

    no, it's just begining of tcp stream , handshake + send packet. and wireshark mark previous segment lost when a packet arrives with a sequence number greater than the "next expected sequence number" on that connection. but no retransmit happen.
  • giltjr's avatar
    giltjr
    Icon for Nimbostratus rankNimbostratus
    Was the tcpdump done on the F5? If so do you have LACP setup on a couple interfaces? Did you run tcpdump capturing both interfaces?

     

     

    I am assuming that the F5 is not so busy that it might be dropping packets during the capture.