Hi. I have a packet capture that has lots of "Previous Segment Lost" diagnoses in Wireshark's Info field. But, when I examine a few instances, I don't see evidence that a previous segment was indeed lost. But perhaps my analysis is flawed. Here is what I'm looking at... Packet "n" has Sequence number: 2080052452, a Length of 1460 Bytes, and Next sequence number: 2080053912. This makes sense. Packet "n+1" has Sequence number: 2080053912, exactly what was expected. But, it also has an Info field that says, "[TCP Previous segment lost] C: DATA fragment, 1460 bytes" Can anyone explain why this packet is flagged with this diagnosis? Am I missing completely what "Previous segment lost" is intended to describe? (Always a possibility!! :-) Thanx all! asked 15 Apr '11, 07:59  feenyman99 |
3 Answers:
As it turns out, after working with Sake (thx!!), it appears that something in my Preferences is causing this mis-diagnosis to happen. When I Apply the Default preference, the mis-diagnoses disappear. By the same token, Sake was unable to reproduce the behavior, even when he loaded my Preference file. So, I guess we will have to leave this as an Unsolved Mystery. If it happens again, perhaps enlightenment will occur. If it never happens again, that's OK too! thx, Feenyman99 answered 18 Apr '11, 04:33 feenyman99 |
Hmm... it looks like Wireshark shouldn't have given the "Previous Segment Lost" message. What version of Wireshark are you using? Are you able to share (part of) your capture file for analysis? answered 15 Apr '11, 09:45  SYN-bit ♦♦ Version 1.4.4 (SVN Rev 36110 from /trunk-1.4) Yes I can share part of my capture file. Pls tell me how to send / upload it. thx! (15 Apr '11, 11:21) feenyman99 You could post it on www.pcapr.net or http://www.cloudshark.org/ (make sure you check if you agree to their terms, since it's network packets that you're posting) (15 Apr '11, 11:53) SYN-bit ♦♦ Here is some additional, INTERESTING information... To prepare to send a snippet of the trace for your analysis, I went into the trace file and removed the first 28 packets, as there were some actual names and email addresses in there. Once I did that and re-imported the capture into Wireshark, Voila - the "Previous segment lost" diagnoses disappeared from the same packets that had previously had these diagnoses. Hmmm... (15 Apr '11, 11:53) feenyman99 Instead of deleting frames, you can also strip the upper layers as it is the TCP layer that is interesting in this case. You can use editcap to do so (editcap -s 68 infile.cap outfile.cap) (15 Apr '11, 12:00) SYN-bit ♦♦ That I will do sir! How do I send you the resultant file? (It's small - ~40KB). thx! (15 Apr '11, 12:01) feenyman99 Sorry - I missed your instructions for posting my trace file until now. I will strip out the upper layers and post it and let you now when done. thx. (15 Apr '11, 12:03) feenyman99 You can either post it on one of the sites I mentioned or send it to me personally if you prefer (my mail address is on my profile description when you click on my name) (15 Apr '11, 12:04) SYN-bit ♦♦ showing 5 of 7 show 2 more comments |
OK - the fog is clearing... I believe I have a corrupted or compromised trace file. It turns out that, each time I had wireshark (or editcap) create a new trace file from the initial trace file, the 'Previous Segment Lost' diagnoses completely disappeared. This was true even if I didn't remove any frames, or didn't strip out any upper layers. Another piece of info... The trace with the 'Previous Segment Lost' diagnoses, it turns out, is in "NA Sniffer (Windows) 2.00x (.cap)" format. When I saved it in "Wireshark/tcpdump/... -libpcap (..pcap, *.cap)" format, WITHOUT CHANGING ANYTHING ELSE, the "Previous Segment Lost' diagnoses disappeared. So... What to take away from this exercise???
As much as this has been interesting, I regret that I spent a lot of time chasing my tail on this. If anyone suggests what I might have done differently, to avoid this, I am all ears. Thx again. answered 15 Apr '11, 15:03 feenyman99 I'm glad you were able to workaround the issue by converting the file format. It would be interesting though to find out why it is failing when reading the sniffer format. I'm not sure whether you are allowed to share the file under NDA so I can have a look at it. (15 Apr '11, 17:42) SYN-bit ♦♦ Sake, I just emailed you the file - I hope that is OK. That seemed safer than posting it on the web. thx, feenyman99 (17 Apr '11, 15:08) feenyman99 |
Just realized that I did not include the Wireshark Version:
Version 1.4.4 (SVN Rev 36110 from /trunk-1.4)