Hi all, In a captured dump I found two warnings: TCP: Previous segment not captured (common at capture start) and TCP: ACKed segment that wasn't captured (common at capture start). To avoid missing packets I tried to: recapture in a wired and wIreless LAN, use tcpdump instead of dumpcap and I forced quit all other user processes except the one related to the capturing tool and my VM as I'm doing the capturing within it. I'm still having the same warnings. I'm wondering why I have missing packets in my capture and how can I avoid missing packets while capturing? asked 30 Jul '15, 20:15 flora edited 04 Aug '15, 06:48 showing 5 of 8 show 3 more comments |
One Answer:
Just out of curiosity how much RAM, and how many processors/cpus have your set for your VM? Is it possible that the VM is getting overloaded due to a lack of memory or processing power? Have you tried capturing from the host machine or even from outside the host machine to see if you are still dropping packets? answered 03 Aug '15, 08:30 greenfreq I did use more powerful machine than mine and the problem has been resolved. Thank you. (04 Aug '15, 06:42) flora |
Your pcap contains SSH packets and not SSL I think they are two different protocols(although they have a similar use).
https://wiki.wireshark.org/SSH
Well. you need to decode as SSL. It is an SSL traffic but works on non-standard port so that it looks to you as SSH. Thanks for your comment.
We won't be able to test the decryption unless you provide the key.
I'm not sure the keys will be useful for you as I'm using a master key (DH key exchange) where I implemented an SSL preference to accept it and modify some related code just to load it in the right data structure.However,I haven't changed any code that is related to the decryption process. I noticed the decryption works perfectly until it comes to the packets that have the two mentioned warnings (I get the MAC failed thing!). You can may be help me out by checking my dump and see if you can find any reason why I have some no captured packets or suggest how can I avoid them in my next capture. Thanks.
So the real question is "Why do I have missing packets in my capture". Fairly obviously, SSL decryption can't function with missing packets.
You are right! I edited my question above. Thank you so much for clarifying this.
I guess I miss understood the warning messages. as an example, from the Expert Info: packet#233 TCP: Previous segment not captured (common at capture start) from Wireshark's main window: packet#233: [TCP Previous segment not captured] [TCP segment of a reassembled PDU] The previous segment ( the missing one, is the one with sequence#: 127033) and obviously this effects SSL.
Maybe you have somewhere real CRC failures in your network?
not relevant to my situation.. thank you.