Ask Your Question
0

Repetitive issue: TCP Previous Segment was not captured

asked 2024-07-08 01:31:11 +0000

n00b_shark gravatar image

updated 2024-07-08 07:41:26 +0000

SYN-bit gravatar image

Hi There,

I am seeing below pattern repeated in my Wireshark capture. On checking further I see weird message

"[4 bytes missing in capture file].<?xml version="1.0" encoding="UTF-8"?><nmInterface version="1"><nmrTrace><entry srcIp="172.16.203.144" srcPort="15000" tgtIp="10.13.2.3" tgtPort="15000" sts="nmsFail" err="Error Connecting To 10.13.2.3:15000 [Connect timed out.]"/></nmrTrace></nmInterface>"

My traffic flow is Source 10.11.96.19 Destination NAT IP 10.13.2.3 Destination IP 172.16.203.144 and in reverse.

Giving all the details for full context.

While i understand there might be some packet loss, resulting in message "TCP Previous Segment was not captured" , but why does it keep repeating in similar fashion across my whole packet capture. Why no SYN or SYN ACK or ACK is ever lost? Also if i capture on source side firewall , or destination side firewall, this message remains constant. 

 1  2024-07-08 12:51:02.951773  10.11.96.19 172.16.203.144  TCP 74  0   45284 → 15000 [SYN] Seq=0 Win=8192 Len=0 MSS=1452 WS=1 TSval=1863682500 TSecr=0

2   2024-07-08 12:51:02.952743  172.16.203.144  10.11.96.19 TCP 62  0   15000 → 45284 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256

3   2024-07-08 12:51:02.953073  10.11.96.19 172.16.203.144  TCP 54  0   45284 → 15000 [ACK] Seq=1 Ack=1 Win=8192 Len=0

4   2024-07-08 12:51:13.972103  172.16.203.144  10.11.96.19 TCP 310 256 [TCP ACKed unseen segment] [TCP Previous segment not captured] 15000 → 45284 [FIN, PSH, ACK] Seq=5 Ack=189 Win=2102272 Len=256

5   2024-07-08 12:51:13.979024  10.11.96.19 172.16.203.144  TCP 54  0   [TCP ACKed unseen segment] [TCP Previous segment not captured] 45284 → 15000 [FIN, PSH, ACK] Seq=189 Ack=262 Win=8192 Len=0

Apologies if its a dumb question or not relevant to wireshark.

Thanks in advance.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2024-07-08 07:58:57 +0000

SYN-bit gravatar image

Not knowing the exact nature of your infrastructure, I can only make some guesses based on the provided information.

  • The client (10.11.96.19) opens a TCP connection to 172.16.203.144, which seems to be terminated on a device that is configured to forward the connection to 10.13.2.3.
  • This device tries to open a connection to 10.13.2.3 for 10 seconds (delta time between frame 3 and frame 4), but it does not succeed in time (see the part [Connect timed out.] in the error message in frame 4
  • From a TCP standpoint, there are 4 bytes missing in the packet capture, as the TCP sequence number jumps from 1 to 5 between packet 2 and 4, if this is consistently happening, that most likely is a bug on the device.

To analyze this a little more in detail, could you make a capture on the forwarding device (172.16.203.144) and include both the traffic between 10.11.96.19 and that device as well as the traffic between the device and 10.13.2.3 in the packet capture.

Then please share the file on a public filesharing service.

edit flag offensive delete link more

Comments

Thank you for the response, Unfortunately org policy doesn't allow us to install Wireshark on this server. Will see if we can get some approvals. Thank you again!

n00b_shark gravatar imagen00b_shark ( 2024-07-09 23:59:39 +0000 )edit

You don't need wireshark on the server. Any Linux system propably has tcpdump installed. And Windows has it's own packet capture tool that might do the trick.

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2024-07-10 06:32:13 +0000 )edit

I'm also encountering this issue in my Wireshark capture. The pattern with the message [4 bytes missing in capture file].

<?xml version="1.0" encoding="UTF-8"?>
<nmInterface version="1">
    <nmrTrace>
        <entry srcIp="172.16.203.144" srcPort="15000" tgtIp="10.13.2.3" tgtPort="15000" sts="nmsFail" err="Error Connecting To 10.13.2.3:15000 [Connect timed out.]"/>
     </nmrTrace>
</nmInterface>

is repeatedly showing up. My traffic flow involves a source of 10.11.96.19 and a destination NAT IP of 10.13.2.3, with the actual destination IP being 172.16.203.144, and this pattern is consistent across both source-side and destination-side firewall captures.

While packet loss might explain the "TCP Previous Segment was not captured" message, it’s puzzling why SYN, SYN-ACK, and ACK packets are not lost, and this specific message pattern keeps repeating.

Any insights into ...(more)

joepalick gravatar imagejoepalick ( 2024-07-11 18:17:25 +0000 )edit

I'm puzzled by the exact same IP-addresses in your network. Are they really the same as the ones from the original poster?

What does stand out is that the length of the text representation of 172.16.203.144 is 4 characters longer than the text representation of 10.13.2.3. This raises the question whether there is any ALG involved that might mess up the sequence numbers due to a bug in the ALG?

Also I'm confused of the IP addresses, I assumed the traffic was 10.11.96.19:15000 -> 172.16.203.144:15000 before the NAT (which I assume is done on the firewall) and 10.11.96.19:15000 -> 10.13.2.3:15000 after NAT has taken place, but your text seems to state the opposite.

As answered already, pcap files of the traffic on both sides of the ...(more)

SYN-bit gravatar imageSYN-bit ( 2024-07-12 05:43:57 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2024-07-08 01:31:11 +0000

Seen: 196 times

Last updated: Jul 12