Ask Your Question

Revision history [back]

"A wireshark capture I've been anaylyzing has some TCP out of order, Dup Ack's, and previous segment not captured. Application works fine but not sure why I get these errors."

You get these errors because some packets arrive out of order and because there is packet loss. The application works ok because the out-of-order packets are re-ordered at the receiving system and then passed to the application in the correct order, and because the missing packets are retransmitted.

Wireshark doesn't have "its own sequence numbers," but by default it will display relative sequence numbers. If the sequence number of the first packet in the capture file from a host on a particular TCP stream is 'x', Wireshark will subtract 'x' from the sequence number of every packet from that host, so that it appears that the sequence numbers started at zero. The raw (absolute) sequence numbers are still there, and the latest version of Wireshark displays the raw sequence numbers even when relative sequence numbers are enabled. In any case, toggling the display between relative and raw sequence numbers will not change what messages Wireshark displays.

"I was told to uncheck the Analyze TCP sequence numbers and then all the errors disappeared from the pcap file."

Turning off "Analyze TCP sequence numbers" doesn't cause errors to go away; it only causes the error messages to go away. If a packet was out of order, it's still out of order. Wireshark is just no longer labeling it as out of order. So if you turn this off, you won't know about errors or problems during the communication unless you manually analyze all the sequence numbers yourself--a monumental task.