This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP previous segment lost when opening from file

0

I am trying to save a dump, and load it on a similar wireshark. I am also copying the .wireshark directory to the other machine. However, HTTP/XML packets are transformed to "Continuation or non-HTTP traffic". Any ideas?


edit

Saved packets were saved in the following way:

  • marked packets of interest
  • save -> Marked packets only

Saving displayed packets also does not work as expected.

asked 17 Oct '13, 07:21

pihentagy's gravatar image

pihentagy
11114
accept rate: 0%

edited 18 Oct '13, 01:53


One Answer:

2

What exactly are you doing? The topic you use mentions "TCP previous segment lost", while your question text doesn't. So I'm doing an assumption here, and you can correct me if I am wrong:

I guess that you try to save all packets that are marked "previous segment lost" to a file to just have the packets in one file where a segment was lost before each of them. Afterwards, the trace looks different, and instead of the packets you saw in the complete file you now get "Continuation or non-HTTP traffic".

If I'm guessing correctly then you are trying to do something that does not work. TCP expert messages like "previous segment lost" are diagnosed based on packet relationships, e.g. for lost segments Wireshark analyzes the TCP sequence numbers for gaps. It can only do that if it has both packets before and after the gap. So if you save just the packets with the diagnosis "previous segment lost" you only save the second packet, and when reopening the file, it will not have the diagnosis anymore - because Wireshark can do that without the first. Expert messages are not saved with frames, they are created on load.

Back to the HTTP problem: if you save only parts of a communication then Wireshark once again can't determine packet relationships on an application level. It needs to see certain "session setup" packets first to be able to determine what others are. If you save only parts of a conversation Wireshark cannot tell those packets apart anymore, and you'll get default descriptions like "Continuation or non-HTTP traffic".

OK, I hope I guessed correctly, because otherwise that was a lot of text for nothing :-)

answered 17 Oct '13, 07:53

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

"OK, I hope I guessed correctly, because otherwise that was a lot of text for nothing :-)" LOL! Classic!

(17 Oct '13, 12:07) hansangb

OK, I hope I guessed correctly, because otherwise that was a lot of text for nothing :-)

=:-))

O.K. let me guess too... Just with less text. ;-)

I guess that the OP used FTP to transfer the capture file and thereby used ASCII mode (instead of binary). By doing so, he modified the file (CRLF translation).

Regards
Kurt

(17 Oct '13, 12:27) Kurt Knochner ♦

Yes, I tried to save all marked packets. I marked them one-by-one, because I didn't know another way. I expected to get back all marked packets, but it failed. I expected at least a warning, that it will not work. The solution was to specify a packet range, which contains all packets, which are of interest.

(18 Oct '13, 01:12) pihentagy

Makes sense - Wireshark needs the additional packets to be able to determine symptoms and communication flow. Things like that are not saved as meta data if you just extract the packets it concerns directly, so you lose that information if you do that.

(18 Oct '13, 02:48) Jasper ♦♦