We've captured some traffic of one of the application and we see a lot of segments with the message "tcp acked unseen segments in captured traffic". The AMDs have a high gap rate (nearby 100%).
We guess "tcp acked unseen segments in captured traffic" message is due to high gap rate because the AMD is dropping packects. Is it true?
If it's true, SPAN port should be double-check, right?
TCP ACKed unseen segment means that there have been packets exchanged between client and server, which are not present in the packet trace. This happens when packet acquisition fabric (SPAN, tap, NPB) is oversubscribed and doe snot forward all packets to the monitoring tool. AMD is such a monitoring tool. So it's not the AMD that drops packets, AMD simply never received them. Thy have been dropped somewhere between SPAN/TAP point and the AMD. Yes, double-check SPAN configuration, that's the usual source of oversubscription.
Packet Sequence Gaps can be caused by a few issues.
If the AMD is dropping packets it will report it in controlled/uncontrolled drops in NAM Server diagnostic reports (traffic diagnostics and probe statistics).
As Kris stated - a span could be oversubscribed and all the packets do not make it to the span.
Firewalls can re-sequence packets. Create a packet capture and view it in Wireshark. Add the following Wireshark columns
Look for packets with the same Source and destination addresses. Compare the hardware addresses and look for different MAC addresses. Packet lengths can be used to help id similar/same packets. Compare the Seq No. For a particular IP pair they should increase gradually. If the Seq No is changing out of sequence for an IP session, a sequence gap could be reported.
If a firewall is re-sequencing packets, work with the network/port aggregator admin to selectively clean up the packets/acquisition location.
These Wireshark settings could also be used to verify if a span is dropping packets.