This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP previous segment lost…really?

0

I have users that RDP to servers from remote offices through a VPN. I do not get complaints from users running terminal server but when running a capure I'm seeing a lot of (TCP previous segment lost) but not retransmitions or duplicate acknowledgements. Below is a small sample export:

  No.   Time        Delta       Source                Destination           Protocol Info                                                            TCP Win Size
  16594 35.668978   0.001375    10.11.4.151           10.11.0.34            TCP      hpvmmdata > ms-wbt-server [ACK] Seq=7482 Ack=133501 Win=65216 Len=0 65216
  21380 44.940581   0.003265    10.11.0.34            10.11.4.151           TPKT     Continuation                                                    32760
  21532 45.198616   0.001418    10.11.4.151           10.11.0.34            TCP      hpvmmdata > ms-wbt-server [ACK] Seq=7482 Ack=134037 Win=64680 Len=0 64680
  25676 51.846655   0.000021    10.11.0.34            10.11.4.151           TPKT     Continuation                                                    32760
  25740 52.120098   0.008579    10.11.4.151           10.11.0.34            TCP      hpvmmdata > ms-wbt-server [ACK] Seq=7482 Ack=134056 Win=64661 Len=0 64661
  33920 68.269875   0.018953    10.11.0.34            10.11.4.151           TPKT     Continuation                                                    32760
  34014 68.470952   0.003303    10.11.4.151           10.11.0.34            TCP      hpvmmdata > ms-wbt-server [ACK] Seq=7482 Ack=134074 Win=64643 Len=0 64643
  39489 81.083668   0.004569    10.11.0.34            10.11.4.151           TPKT     Continuation                                                    32760
  39591 81.310868   0.000169    10.11.4.151           10.11.0.34            TCP      hpvmmdata > ms-wbt-server [ACK] Seq=7482 Ack=134097 Win=64620 Len=0 64620
  40992 84.661456   0.002586    10.11.0.34            10.11.4.151           TPKT     Continuation                                                    32760
  41086 84.922094   0.000270    10.11.4.151           10.11.0.34            TCP      hpvmmdata > ms-wbt-server [ACK] Seq=7482 Ack=134120 Win=64597 Len=0 64597
  46969 101.070159  0.004696    10.11.0.34            10.11.4.151           TPKT     Continuation                                                    32760
  47039 101.272924  0.000401    10.11.4.151           10.11.0.34            TCP      hpvmmdata > ms-wbt-server [ACK] Seq=7482 Ack=134138 Win=64579 Len=0 64579
  53231 117.476833  0.005800    10.11.0.34            10.11.4.151           TPKT     Continuation                                                    32760
  53321 117.724009  0.000914    10.11.4.151           10.11.0.34            TCP      hpvmmdata > ms-wbt-server [ACK] Seq=7482 Ack=134156 Win=64561 Len=0 64561
  59055 130.494564  0.005086    10.11.0.34            10.11.4.151           TPKT     Continuation                                                    32760
  59093 130.552710  0.000426    10.11.0.34            10.11.4.151           TPKT     Continuation                                                    32760
  59094 130.552827  0.000117    10.11.0.34            10.11.4.151           TPKT     Continuation                                                    32760
  59095 130.552928  0.000101    10.11.0.34            10.11.4.151           TPKT     Continuation                                                    32760
  59096 130.553154  0.000226    10.11.0.34            10.11.4.151           TPKT     Continuation                                                    32760
  59128 130.628580  0.000313    10.11.4.151           10.11.0.34            TCP      hpvmmdata > ms-wbt-server [ACK] Seq=7482 Ack=136036 Win=65535 Len=0 65535
  59133 130.636297  0.000025    10.11.4.151           10.11.0.34            TCP      hpvmmdata > ms-wbt-server [ACK] Seq=7482 Ack=137393 Win=64178 Len=0 64178
  59142 130.650200  0.003315    10.11.0.34            10.11.4.151           TPKT     [TCP Previous segment lost] Continuation                        32760
  59143 130.650336  0.000136    10.11.0.34            10.11.4.151           TPKT     Continuation                                                    32760
  59184 130.731314  0.001042    10.11.4.151           10.11.0.34            TCP      hpvmmdata > ms-wbt-server [ACK] Seq=7482 Ack=139458 Win=65535 Len=0 65535
  59186 130.733554  0.001918    10.11.4.151           10.11.0.34            TCP      hpvmmdata > ms-wbt-server [ACK] Seq=7482 Ack=139799 Win=65194 Len=0 65194
  59211 130.759843  0.002716    10.11.0.34            10.11.4.151           TPKT     [TCP Previous segment lost] Continuation                        32760
  59249 130.847533  0.004212    10.11.4.151           10.11.0.34            TCP      hpvmmdata > ms-wbt-server [ACK] Seq=7482 Ack=142084 Win=65535 Len=0 65535
  59269 130.869924  0.000606    10.11.0.34            10.11.4.151           TPKT     [TCP Previous segment lost] Continuation                        32760
  59315 130.956755  0.007208    10.11.4.151           10.11.0.34            TCP      hpvmmdata > ms-wbt-server [ACK] Seq=7482 Ack=144586 Win=65535 Len=0 65535
  59333 130.978730  0.001011    10.11.0.34            10.11.4.151           TPKT     [TCP Previous segment lost] Continuation                        32760
  59334 130.978762  0.000032    10.11.0.34            10.11.4.151           TPKT     Continuation                                                    32760
  59369 131.066828  0.000189    10.11.4.151           10.11.0.34            TCP      hpvmmdata > ms-wbt-server [ACK] Seq=7482 Ack=147019 Win=65535 Len=0 65535
  59383 131.089565  0.004658    10.11.0.34            10.11.4.151           TPKT     [TCP Previous segment lost] Continuation                        32760
  59413 131.170660  0.002069    10.11.4.151           10.11.0.34            TCP      hpvmmdata > ms-wbt-server [ACK] Seq=7482 Ack=148819 Win=65535 Len=0 65535
  59421 131.180857  0.002506    10.11.4.151           10.11.0.34            TCP      hpvmmdata > ms-wbt-server [ACK] Seq=7482 Ack=150383 Win=65535 Len=0 65535
  59434 131.200199  0.003550    10.11.0.34            10.11.4.151           TPKT     [TCP Previous segment lost] Continuation                        32760
  59469 131.291004  0.000367    10.11.4.151           10.11.0.34            TCP      hpvmmdata > ms-wbt-server [ACK] Seq=7482 Ack=153303 Win=65535 Len=0 65535
  59479 131.307596  0.002806    10.11.0.34            10.11.4.151           TPKT     [TCP Previous segment lost] Continuation                        32760
  59480 131.308106  0.000510    10.11.0.34            10.11.4.151           TPKT     [TCP Previous segment lost] Continuation                        32760
  59512 131.388760  0.001165    10.11.4.151           10.11.0.34            TCP      hpvmmdata > ms-wbt-server [ACK] Seq=7482 Ack=155567 Win=65535 Len=0 65535
  59519 131.401704  0.001452    10.11.4.151           10.11.0.34            TCP      hpvmmdata > ms-wbt-server [ACK] Seq=7482 Ack=157916 Win=65535 Len=0 65535
  59530 131.416372  0.000762    10.11.0.34            10.11.4.151           TPKT     [TCP Previous segment lost] Continuation                        32760
  59531 131.416871  0.000499    10.11.0.34            10.11.4.151           TPKT     [TCP Previous segment lost] Continuation                        32760

asked 08 Nov '11, 14:15

newb33's gravatar image

newb33
1111
accept rate: 0%

edited 08 Nov '11, 14:45

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245

How can wireshark specify "TCP Previous segment lost" but have no TCP Retransmission or TCP Fast Retransmission? Is that possible?

(09 Nov '11, 13:25) newb33

Hello newb33,

Any update regarding this issue? I am also experiencing a similar issue. I got "TCP Previous Segment Not Captured" but no TCP retransmissions. Afterwards, the client send [FIN, ACK] packet to the server due to no response from server.

Thank you.

(09 Feb '15, 05:44) chwijaya

One Answer:

0

The first packet number is 16,594; the last packet number is 59,531. From 16,594 to 59,531 is 42,938 packets. Your sample shows only 44 packets, so obviously a display filter was in place. What filter was used? Is it possible that you accidentally filtered out the retransmissions and duplicate ACKs?

This would be easier to troubleshoot if you would post the actual capture file somewhere so that we could download it and open it in Wireshark.

answered 09 Nov '11, 13:50

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

I filtered the exact communication between the 2 systems. My filter was ip.addr==10.11.4.151

I did not want to post the entire dump. Just a sample that had good traffic and then the supposed lost segments...

(09 Nov '11, 13:52) newb33

When I run the Expert Info Composite for the entire capture of 10 minutes I have 2323 Previous Segment lost and 1 ACKed Lost segment

(09 Nov '11, 13:55) newb33