This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi all,

In a captured dump I found two warnings: TCP: Previous segment not captured (common at capture start) and TCP: ACKed segment that wasn't captured (common at capture start).

To avoid missing packets I tried to: recapture in a wired and wIreless LAN, use tcpdump instead of dumpcap and I forced quit all other user processes except the one related to the capturing tool and my VM as I'm doing the capturing within it. I'm still having the same warnings.

I'm wondering why I have missing packets in my capture and how can I avoid missing packets while capturing?

asked 30 Jul '15, 20:15

flora's gravatar image

flora
156313338
accept rate: 100%

edited 04 Aug '15, 06:48

Your pcap contains SSH packets and not SSL I think they are two different protocols(although they have a similar use).

https://wiki.wireshark.org/SSH

(31 Jul '15, 01:46) koundi

Well. you need to decode as SSL. It is an SSL traffic but works on non-standard port so that it looks to you as SSH. Thanks for your comment.

(31 Jul '15, 04:48) flora

We won't be able to test the decryption unless you provide the key.

(31 Jul '15, 05:31) grahamb ♦

I'm not sure the keys will be useful for you as I'm using a master key (DH key exchange) where I implemented an SSL preference to accept it and modify some related code just to load it in the right data structure.However,I haven't changed any code that is related to the decryption process. I noticed the decryption works perfectly until it comes to the packets that have the two mentioned warnings (I get the MAC failed thing!). You can may be help me out by checking my dump and see if you can find any reason why I have some no captured packets or suggest how can I avoid them in my next capture. Thanks.

(31 Jul '15, 06:12) flora

So the real question is "Why do I have missing packets in my capture". Fairly obviously, SSL decryption can't function with missing packets.

(31 Jul '15, 06:31) grahamb ♦

You are right! I edited my question above. Thank you so much for clarifying this.

I guess I miss understood the warning messages. as an example, from the Expert Info: packet#233 TCP: Previous segment not captured (common at capture start) from Wireshark's main window: packet#233: [TCP Previous segment not captured] [TCP segment of a reassembled PDU] The previous segment ( the missing one, is the one with sequence#: 127033) and obviously this effects SSL.

(31 Jul '15, 07:24) flora

Maybe you have somewhere real CRC failures in your network?

(31 Jul '15, 16:49) Christian_R

not relevant to my situation.. thank you.

(04 Aug '15, 06:40) flora
showing 5 of 8 show 3 more comments

Just out of curiosity how much RAM, and how many processors/cpus have your set for your VM? Is it possible that the VM is getting overloaded due to a lack of memory or processing power? Have you tried capturing from the host machine or even from outside the host machine to see if you are still dropping packets?

permanent link

answered 03 Aug '15, 08:30

greenfreq's gravatar image

greenfreq
66127
accept rate: 33%

I did use more powerful machine than mine and the problem has been resolved. Thank you.

(04 Aug '15, 06:42) flora
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×205
×42

question asked: 30 Jul '15, 20:15

question was seen: 1,933 times

last updated: 04 Aug '15, 06:48

p​o​w​e​r​e​d by O​S​Q​A