Ask Your Question
0

Continuously observing [TCP Previous segment not captured] , Ignored Unknown Record

asked 2019-12-05 08:57:11 +0000

Sujith gravatar image

updated 2019-12-05 08:59:35 +0000

Recently for a duration of 3 minutes i observed that my device is sending [TCP Previous segment not captured] , Ignored Unknown Record gradually. Also there seems to be other warning packet sent from the device including TCP window full. The server responds to none of it. Could anyone able to find where exactly the issue is rooted? What does it mean by ignored unknown record, window size full, encrypted heartbeat. Any help would be appreciated.

Below are the suspicious packets sent from the device end which is found on the wireshark trace.

139295 2019-11-29 17:51:02.729328 0.000786 Client Server TLSv1.2 1434 [TCP Previous segment not captured] , Ignored Unknown Record

Encrypted Handshake Message, Ignored Unknown Record

[TCP Window Full] , Ignored Unknown Record

Encrypted Heartbeat, Ignored Unknown Record

edit retag flag offensive close merge delete

Comments

Can you share the capture file on a public file share, e.g. Google Drive, DropBox etc. and post a link back here?

grahamb gravatar imagegrahamb ( 2019-12-05 08:59:21 +0000 )edit

Extremely Sorry, the capture is confidential as per the organizational policy. This happened in the sector where im working.

Sujith gravatar imageSujith ( 2019-12-05 09:01:36 +0000 )edit

OK, but without the capture the answers will be very general.

grahamb gravatar imagegrahamb ( 2019-12-05 09:04:56 +0000 )edit

Just a reason for these exceptions would help. Could u?

Sujith gravatar imageSujith ( 2019-12-05 09:21:08 +0000 )edit

You might want to look into sanitization of capture files. If your problem is on layers 1-4 you can remove/change any detail to make it unrecognizable and still keep the problem situation intact, e.g. by using a tool like Tracewrangler. Look at this blog post for more information: https://blog.packet-foo.com/2016/11/t...

Jasper gravatar imageJasper ( 2019-12-05 15:55:19 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
1

answered 2019-12-05 10:16:44 +0000

grahamb gravatar image

Previous segment not captured means exactly that, a segment in the tcp stream has not been captured, this is determined by the tcp sequence numbers. Common at the start of a capture if the initial connection occurred prior to the capture, can also happen if the capturing host dropped a packet, or if there was actual packet loss.

The Ignored Unknown Record occurs because the TLS dissector doesn't understand the data. This might, in your case, be due to tcp segment loss.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-12-05 08:57:11 +0000

Seen: 6,265 times

Last updated: Dec 05 '19