This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP: Previous segment not captured, Is that a connectivity issue?

0

Hi guys, I've been analyzing the packets sent between one server (172.20.3.188) and some clients, after I put the capture on Wireshark and I saw that there is some messages that say "Protocol TCP. Previous segment not captured" and "TCP: ACKed segment that wasn't captured (common at capture start)". Looking on the internet I found that is a connectivity issue, but I'm not so able to understand it at all. I was wondering if you can give me some ideas/advices about what could be happening. I uploaded the capture, here is the link, http://www.cloudshark.org/captures/416284356bd1.

asked 03 Oct '13, 08:21

EduardoHzz's gravatar image

EduardoHzz
11114
accept rate: 0%

edited 04 Oct '13, 23:36

grahamb's gravatar image

grahamb ♦
19.8k330206

1

Clicking on the link gives a "404 Not Found"

(03 Oct '13, 08:50) Bill Meier ♦♦

Do I have to download any software to share this?, Let see if this does work http://www.cloudshark.org/captures/3ce0dafb3430

Ans: 1. No 2. This link works ....

(03 Oct '13, 09:07) EduardoHzz

One Answer:

1

The messages just mean exactly what they say: one or more tcp segments were not captured.

This will happen if (a) a capture is started in the middle of a TCP "conversation" (obviously) or (b) one or more frames are dropped (not captured) during a capture.

(a) is normal (b) might happen for a number of reasons (e.g., machine which is running Wireshark is slow).

In any case, the messages don't normally indicate an issue .... Looking at the capture might or might not provide more information.


Looking at the capture:

It seems to me that you are having a problem with the actual capture: That is; there are significant gaps of 1 or more seconds in the capture (e.g. between frames 6967 and 6968).

This has to be a problem with the capture itself because the traffic on the various connections continues on; IOW the sending/receiving nodes think everything is OK; They are seeing the frames even if they are missing from the capture file.

Looking at the I/O graph (Statistics IO Graph) shows a number of obvious gaps.

i/o graph

So: answering your original question: This is a "capture" issue (which causes the "previous segment lost" & etc expert messages.

Is there a specific problem you are trying to analyze ?

answered 03 Oct '13, 09:00

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 03 Oct '13, 11:03

Hi, yes I'm trying to identify why the server is not receveing some responses from (in this case) a network element. I work with a UNIX server connecting to it by telnet using a virtual machine. I made the capture using command snoop between the server(UNIX) and the network element. I saved the result of the command in a file, and after that I imported this file to Wireshark. In the network element configuration is defined 15 seconds to send the request to time out. I want to identify why the network element is taking more than 15 seconds to respond. So, I think it cuold be a conectivity issue or something related to the network.

(03 Oct '13, 09:39) EduardoHzz

A multiple loss of packets Can generate loss of connection? By the way thank you for your comments and time.

(04 Oct '13, 09:20) EduardoHzz

It seems as though you are trying to somehow relate "loss of connection" (whereever you are getting that from) to the "missing captured packets" in the capture.

I don't think that's possible.

IOW: All I am noting is that the capture file has gaps and that (in the cases I looked at) the "conversations" (connections) were not impacted.

Given that the conversations don't seem to be impacted, to my mind pretty much the only thing that can be inferred from the "capture gaps" is that there's a capture problem.

You should fix that problem before you try to do any real analysis.

(04 Oct '13, 11:32) Bill Meier ♦♦