For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

kridsana's avatar
kridsana
Icon for Cirrocumulus rankCirrocumulus
Jan 18, 2013

TCP previous segment lost

From this tcpdump

 

 

12.12.12.12 is ip client , 100.100.100.13 is ip Virtual server

 

 

12.12.12.12 100.100.100.13 TCP 66 4204 > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1

 

100.100.100.13 12.12.12.12 TCP 66 http > 4204 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 SACK_PERM=1

 

12.12.12.12 100.100.100.13 TCP 64 4204 > http [ACK] Seq=1 Ack=1 Win=65535 Len=0

 

12.12.12.12 100.100.100.13 HTTP 124 POST /WSCDS/services/WSCDS?wsdl HTTP/1.1 [Packet size limited during capture]

 

12.12.12.12 100.100.100.13 HTTP 124 [TCP Previous segment lost] Continuation or non-HTTP traffic[Packet size limited during capture]

 

100.100.100.13 12.12.12.12 TCP 60 [TCP ACKed lost segment] http > 4204 [ACK] Seq=1 Ack=2049 Win=6428 Len=0

 

12.12.12.12 100.100.100.13 HTTP 124 Continuation or non-HTTP traffic[Packet size limited during capture]

 

100.100.100.13 12.12.12.12 TCP 60 [TCP ACKed lost segment] http > 4204 [ACK] Seq=1 Ack=2479 Win=6858 Len=0

 

 

what the meaning and what cause of TCP Previous segment lost ?

 

 

thank you

 

config
design

5 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jan 19, 2013
    what the meaning and what cause of TCP Previous segment lost ?TCP Analyze Sequence Numbers

     

    http://wiki.wireshark.org/TCP_Analyze_Sequence_Numbers
  • kridsana's avatar
    kridsana
    Icon for Cirrocumulus rankCirrocumulus
    Jan 22, 2013
    yeah ,and from tcpdump above. Problem is shown TCP previous segment lost but not retransmit.

     

    can i send you tcpdump file or would you see it in websupport?
  • giltjr's avatar
    giltjr
    Icon for Nimbostratus rankNimbostratus
    Jan 22, 2013
    Was this at the beginning/start of a capture? Wireshark will mark a segment as missing if it receives a ACK for something it did not see. This is a common occurrence when first staring a tcpdump.

     

     

    Packet is sent

     

    tcpdump is started

     

    ACK is seen.
  • kridsana's avatar
    kridsana
    Icon for Cirrocumulus rankCirrocumulus
    Jan 23, 2013
    Was this at the beginning/start of a capture? Wireshark will mark a segment as missing if it receives a ACK for something it did not see. This is a common occurrence when first staring a tcpdump.

     

     

     

    no, it's just begining of tcp stream , handshake + send packet. and wireshark mark previous segment lost when a packet arrives with a sequence number greater than the "next expected sequence number" on that connection. but no retransmit happen.
  • giltjr's avatar
    giltjr
    Icon for Nimbostratus rankNimbostratus
    Jan 23, 2013
    Was the tcpdump done on the F5? If so do you have LACP setup on a couple interfaces? Did you run tcpdump capturing both interfaces?

     

     

    I am assuming that the F5 is not so busy that it might be dropping packets during the capture.