![wireshark logo](/images/wireshark-logo.png)
Wireshark mailing list archives
Re: ACKed segment that wasn't captured
From: Peter Wu <peter () lekensteyn nl>
Date: Tue, 17 Jul 2018 11:24:45 +0200
Hi Luke, On Fri, Jun 01, 2018 at 02:47:06AM +0000, luke devon via Wireshark-users wrote:
While analysing the captured pcap in wireshark ,I have found significant occurrences of following messages. There is noextra hops in between the switch and particular server where I am capturing thetraces using dumpcap. As I checked, I don’t see any packet TX/RX failures in the server’s network interfaces. May I know what could be the root cause and howcan I fix it ? ACKed segment that wasn't captured (common at capture start) Previous segment(s) not captured (common at capture start)
This message could occur for at several reasons: - A capture was started while a connection was already established. Fix: start a capture before opening the application/connection. - The capture device could not keep up with the number of packets and started dropping packets. This is not the same as TX/RX issues. Packets could still be transmitted/received fine, but dropped during the live capture. You can try to set capture filters (e.g. "port 53") for the traffic you are interested in. - If the packets go through the public Internet, packet reordering might occur. You'll likely see "Out-of-Order" or "Retransmission" notes following the affected segments. There is not much to do from a network POV, this is pretty common. If you are analyzing application layer traffic, note that such behavior might break reassembly. In the next version of Wireshark (2.9/3.x), there will be a TCP preference that can be enabled to enable reassembly: https://www.wireshark.org/docs/wsug_html_chunked/ChAdvReassemblySection.html#ChAdvReassemblyTcp When troubleshooting, it can be beneficial to add a column for "tcp.stream" (or just apply a display filter for it). That way, you can focus on one connection. E.g. the first reason above should only be visible in the begin of a stream and should not occur later in a stream. Hope it helps. -- Kind regards, Peter Wu https://lekensteyn.nl ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: ACKed segment that wasn't captured Peter Wu (Jul 17)