This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What means ‘TCP Previous Segment is not captured’ packet info?

0

I have captured the packets and some packet was marked "TCP Previous Segment is no captured'

I am wondering whether this marked packet is wrong packet itself or just Previous Packet is loss and marked packet is correct packet.

I have attached "TCP Previous Segment is no captured" marked packet.

thank you for your help.

alt text

asked 23 May '16, 22:12

DSLab's gravatar image

DSLab
1223
accept rate: 0%

edited 24 May '16, 03:23

sindy's gravatar image

sindy
6.0k4851

1

Can you share a capture in a publicly accessible spot, e.g. CloudShark?

(23 May '16, 23:29) Jaap ♦

yes. let me know your e-mail !

(24 May '16, 00:00) DSLab

"sharing a capture" on this site means publishing it, login-free, at some publicly accessible file server, or preferably Cloudshark as @Jaap has suggested, and providing a link to it here.

If you have some privacy concerns, use Tracewrangler to remove payload and replace IP addresses with random ones before publishing the capture.

(24 May '16, 02:58) sindy

One Answer:

1

If packet N is marked with previous segment not captured, it means that in the capture there is no packet from the same TCP session whose seq + length would match the seq of packet N. The most typical reason is packet loss and/or late start of capture, which is the reason why the wording in question is used. But there can eventually be other reasons (buggy TCP stack of the sender, multipath network structure allowing packets belonging to the same TCP session to pass through different network interfaces so the packets do reach their destination but Wireshark cannot see them, ...), so it is up to you to check out the real reason why this has happened in your particular case. If in doubt, post the capture as @Jaap has suggested.

answered 24 May '16, 03:03

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

thanks. but I can not english very well. and this is cloudshark link.

https://www.cloudshark.org/captures/af199d964ad2 this pcap file has included privacy.

If I get the answer, then I remove the link and pcap file.

please help me.

(24 May '16, 20:36) DSLab

Thank for sharing the capture file.

A quick glance at it reveals many occurrences of TCP Previous Segment not captured. And indeed if you look at the TCP sequence numbers and lengths, as @sindy suggested, these seem to be absent from the capture file.

(24 May '16, 23:47) Jaap ♦

As I'm afraid not many contributors to this site are fluent in Korean, you may copy those sentences from my answer which do not make sense to you into your next comment, I'll try to say the same once again but in more simple words.

(25 May '16, 01:23) sindy