In the attached trace there are a lots of errors, which are not true. Some of them are below. https://drive.google.com/file/d/0B7Io9WiIN49VazZnZjJ4c2hwNTA/view?usp=sharing
asked 21 Jul '17, 01:00 soochi |
One Answer:
Perhaps Wireshark is confused about which packets belong to which TCP connection. It looks as if packet 1 is the last packet of one TCP connection (an RST+ACK) and packet 2 is the initial SYN of a new TCP connection between the same endpoints (IP addresses+TCP ports), with packet 3 being the SYN+ACK, packet 4 being the ACK of the SYN+ACK, and packet 5 being the first data packet. That could cause various forms of confusion, including all of the symptoms reported above; stripping out the first packet seems to make at least some things work better. Please file a bug on the Wireshark Bugzilla, with your capture attached to it. answered 21 Jul '17, 02:41 Guy Harris ♦♦ |
How was the capture made, i.e. on-host, tap, mirror or span port or something else?
it was made on different devices on the path. example by dumping on the firewall, dumping on LB, and also via mirror port... all of them shows the same errors.
If they show the same errors there's something with your capture platform. It is known that hardware offloading features may interfere with proper capturing of these protocol streams.
error in capture platforms from many different vendors? all at the same time and all for the same IP pair combinations. highly unlikely!
You never told how these captures were made, only where. It still can be the same laptop connected to different equipment in the network, either directly or via (possibly virtual) span or mirror.