Wireshark Capture: Numerous "Bad TCP" frames

Discussion in 'other firewalls' started by wat0114, Jan 14, 2008.

Thread Status:
Not open for further replies.
  1. wat0114

    wat0114 Guest

    Hopefully this is the right forum. Using Wireshark to capture < 1 minute of data surfing to four different, random websites, I see there are quite large numbers of "Bad TCP" frames that Wireshark has captured. Screenshot shows only one cluster out of the entire capture, but there are numerous others similar to it. I'm estimating approximately 20% of total frames are "Bad TCP".

    According to this quote taken from the Wireshark Wiki:

    It looks like there could be a problem, perhaps with my router, as these large numbers of corrupted frames are still occuring even with all my resident apps (av, firewall & ad blocker) disabled. Numerous retests confirm the same thing. I am behind a router and when I get a chance I will retest with my pc direct-connected to the modem. Surfing speeds using IE7 or FF are randomly slow, especially of late.

    I'm just wondering if anyone using a packet capturing utility has noticed a high percentage of these corrupted frames and what percentage of them can be considered normal.

    BTW, I also have Wireshark's "Validate the TCP checksum if possible" checkbox cleared for these tests. Also removed "source" and "destination" address columns to retain privacy
     

    Attached Files:

  2. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    As far as I see, the frames in your screenshot don't have bad CRC. They are duplicates and retransmissions, which usually apear when the connection is poor...
     
  3. wat0114

    wat0114 Guest

    You are right Nebulus, they aren't actually corrupted frames. Poor choice of adjective on my part :)

    I've just physically bypassed my router, connecting directly to modem and re-ran a few tests. There are still quite large numbers of these DUP ACKs, retransmissions and other 'Bad TCP" packets.

    Of interest, at least to me, is the constant bombardment of ARP broadcasts (screenshot) now seen after bypassing my router I just ran a 30 second capture and there were literally >2500 of these ARP broadcasts! This alone seems to lend full support to place one's pc behind a router ;)

    Anyways, I know I can safely rule out my router as the source of these "Bad TCP" frames. I will send my data to my ISP, Shaw, and enquire if there is something wrong on their end.

    Thanks for your input Nebulus :)
     

    Attached Files:

    Last edited by a moderator: Jan 14, 2008
  4. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    I didn't see mention of your OS. If you're using XP you could try optimizing the connection parameters, such as MTU, TTL, and RWIN. At DSLreports.com there's a speed test and a utility call Dr TCP for changing various settings.
     
  5. wat0114

    wat0114 Guest

    It is XP. I'll look into that, thanks.
     
Thread Status:
Not open for further replies.