This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

xxxx bytes missing in capture file

0

Hello im trying to capture traffic and after saving and uploading pcap file i get this alert on tcp stream:

[1285 bytes missing in capture file]

thanks in advance for any help.

2x2i

asked 25 Aug '14, 11:33

2x2i's gravatar image

2x2i
11223
accept rate: 0%

edited 26 Aug '14, 08:06

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572

Did you transfer as binary? ftp transfer as ASCII will mangle the file.

(25 Aug '14, 11:36) Anders ♦

One Answer:

0

This usually indicates that some frames (packets) in a TCP connection weren't captured (and you're doing "follow TCP stream" to view what went back and forth on the socket). Rather than stopping when some bytes are missing, Wireshark continues to show the TCP stream but shows you where the data is incomplete.

To fix the problem you need to ensure you capture all the packets. Unfortunately this can be quite difficult to achieve in practice.

answered 26 Aug '14, 08:05

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

(26 Aug '14, 08:52) grahamb ♦