This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Missing bytes in Capture file

0

Is it normal to see occasional missing bytes in capture file, TCP Acked Lost segment, while filtering through a TCP Stream?

The problem is resolved by reload the stream.

asked 29 Aug '11, 18:04

Sharky7's gravatar image

Sharky7
1111
accept rate: 0%


One Answer:

0

Yes, it is normal that sometimes not all packets that were on the wire are captured. This will result in "TCP acked Lost segment" messages. One common cause is port mirroring a full duplex port 100Mbit to a 100Mbit port, you can then have 200 Mbit of traffic, which obviously does not work on a 100Mbit port.

Another source of these problems is if your capturing device is unable to keep up with the data collection. If this is the case, make sure the device is not doing much other stuff than capturing. Don't run any other programs and disable "Show packets in real time". Or even better, you dumpcap instead of Wireshark.

answered 30 Aug '11, 00:09

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%