 | 1 | initial version |
Hi Berserk,
First of all, when you save a large capture you can check "compress with gzip" to automatically compress the PCAP.
Wireshark can automatically open file compressed this way so there is no need to use WinRAR, WinZIP, 7-ZIP, etc.
Secondly, try to capture TCP connections from the start so you have all 3-way handshake TCP segments for SYN, SYN/ACK and ACK. These segment provide lots of information.
Now as far as I can tell, the "TCP previous segment not captured" you are seeing are because of packet loss. This is why there are Duplicate ACKs while the server retransmit the missing segments.
The TCP FIN segment is a proper way to terminate a TCP connection. The fact that you are seeing means host 172.31.251.9 wants to close this TCP connection. The 4-way handshake FIN/ACK, ACK, FIN/ACK, ACK means this TCP connection was properly closed by both client and server. It does not mean there is a network problem.
Now if this is unexpected then you need to find out why host 172.31.251.9 decided it was time to close the connection. This may be due to a resource issue or more likely an OS or software parameter/trigger.
Hope this helps.
Cheers,
JFD
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
