Albert Jurado wrote:
I've looked at the captures and there's no reason to believe that the packets are duplicates.
>I've filtered the capture to show the communication between the
terminal server
and the SQL server. When I apply this filter every other line in the wireshark display
shows the "This frame is a (suspected) out-of-order segment".
>
> This much fragmentation just doesn't seem normal. Can someone please
shed some light on this..
>There's a part of me that thinks I'm chasing a ghost and that the
problem is related to
the way wireshark captures terminal server communication.
It's trivial to see if in fact they are out of order. Just follow the
tcp sequence numbers to see if they are out of order. You can't really
have that many out of order packets unless a few specific conditions are
met (these are corner/academic cases).
1) You have a redundant network path and one path is slightly slower
than the other. *AND* someone turned on per-packet-cef or is process
switching the traffic causing per-packet load balancing to occur.
2) Your span (monitor) session is watching two interfaces and one is
more overloaded than the other. So the packets were never out of order
but they *got* to the wireshark machine out of order. But for it to be
off by every other packet is next to impossible.
If you post a small sample (10 packets is sufficient) we may be able to
assist more. Please keep them in the pcap format.
One big Blue's Clues you can check for. Are the IP ID field same on the
two packets? Come to think of it. Wireshark would tag them as
"suspected retransmission" as opposed to out of order packets.
Now I would really like to see the pcap data. You don't have to upload
the entire packet, you can chop it at 96 bytes or so with editcap.
--
Thanks,
Hansang
