This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello im trying to capture traffic and after saving and uploading pcap file i get this alert on tcp stream:

[1285 bytes missing in capture file]

thanks in advance for any help.

2x2i

asked 25 Aug '14, 11:33

2x2i's gravatar image

2x2i
11223
accept rate: 0%

edited 26 Aug '14, 08:06

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572

Did you transfer as binary? ftp transfer as ASCII will mangle the file.

(25 Aug '14, 11:36) Anders ♦

This usually indicates that some frames (packets) in a TCP connection weren't captured (and you're doing "follow TCP stream" to view what went back and forth on the socket). Rather than stopping when some bytes are missing, Wireshark continues to show the TCP stream but shows you where the data is incomplete.

To fix the problem you need to ensure you capture all the packets. Unfortunately this can be quite difficult to achieve in practice.

permanent link

answered 26 Aug '14, 08:05

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

(26 Aug '14, 08:52) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×238
×193
×29

question asked: 25 Aug '14, 11:33

question was seen: 4,668 times

last updated: 26 Aug '14, 08:52

p​o​w​e​r​e​d by O​S​Q​A