Ask Your Question

Repetitive issue: TCP Previous Segment was not captured

asked 2024-07-08 01:31:11 +0000

updated 2024-07-08 07:41:26 +0000

SYN-bit gravatar image

Hi There,

I am seeing below pattern repeated in my Wireshark capture. On checking further I see weird message

"[4 bytes missing in capture file].<?xml version="1.0" encoding="UTF-8"?><nmInterface version="1"><nmrTrace><entry srcIp="" srcPort="15000" tgtIp="" tgtPort="15000" sts="nmsFail" err="Error Connecting To [Connect timed out.]"/></nmrTrace></nmInterface>"

My traffic flow is Source Destination NAT IP Destination IP and in reverse.

Giving all the details for full context.

While i understand there might be some packet loss, resulting in message "TCP Previous Segment was not captured" , but why does it keep repeating in similar fashion across my whole packet capture. Why no SYN or SYN ACK or ACK is ever lost? Also if i capture on source side firewall , or destination side firewall, this message remains constant.

 1  2024-07-08 12:51:02.951773  TCP 74  0   45284 → 15000 [SYN] Seq=0 Win=8192 Len=0 MSS=1452 WS=1 TSval=1863682500 TSecr=0

2   2024-07-08 12:51:02.952743 TCP 62  0   15000 → 45284 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256

3   2024-07-08 12:51:02.953073  TCP 54  0   45284 → 15000 [ACK] Seq=1 Ack=1 Win=8192 Len=0

4   2024-07-08 12:51:13.972103 TCP 310 256 [TCP ACKed unseen segment] [TCP Previous segment not captured] 15000 → 45284 [FIN, PSH, ACK] Seq=5 Ack=189 Win=2102272 Len=256

5   2024-07-08 12:51:13.979024  TCP 54  0   [TCP ACKed unseen segment] [TCP Previous segment not captured] 45284 → 15000 [FIN, PSH, ACK] Seq=189 Ack=262 Win=8192 Len=0

Apologies if its a dumb question or not relevant to wireshark.

Thanks in advance.

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted

answered 2024-07-08 07:58:57 +0000

SYN-bit gravatar image

Not knowing the exact nature of your infrastructure, I can only make some guesses based on the provided information.

  • The client ( opens a TCP connection to, which seems to be terminated on a device that is configured to forward the connection to
  • This device tries to open a connection to for 10 seconds (delta time between frame 3 and frame 4), but it does not succeed in time (see the part [Connect timed out.] in the error message in frame 4
  • From a TCP standpoint, there are 4 bytes missing in the packet capture, as the TCP sequence number jumps from 1 to 5 between packet 2 and 4, if this is consistently happening, that most likely is a bug on the device.

To analyze this a little more in detail, could you make a capture on the forwarding device ( and include both the traffic between and that device as well as the traffic between the device and in the packet capture.

Then please share the file on a public filesharing service.

edit flag offensive delete link more


Thank you for the response, Unfortunately org policy doesn't allow us to install Wireshark on this server. Will see if we can get some approvals. Thank you again!

n00b_shark gravatar imagen00b_shark ( 2024-07-09 23:59:39 +0000 )edit

You don't need wireshark on the server. Any Linux system propably has tcpdump installed. And Windows has it's own packet capture tool that might do the trick.

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2024-07-10 06:32:13 +0000 )edit

I'm also encountering this issue in my Wireshark capture. The pattern with the message [4 bytes missing in capture file].

<?xml version="1.0" encoding="UTF-8"?>
<nmInterface version="1">
        <entry srcIp="" srcPort="15000" tgtIp="" tgtPort="15000" sts="nmsFail" err="Error Connecting To [Connect timed out.]"/>

is repeatedly showing up. My traffic flow involves a source of and a destination NAT IP of, with the actual destination IP being, and this pattern is consistent across both source-side and destination-side firewall captures.

While packet loss might explain the "TCP Previous Segment was not captured" message, it’s puzzling why SYN, SYN-ACK, and ACK packets are not lost, and this specific message pattern keeps repeating.

Any insights into ...(more)

joepalick gravatar imagejoepalick ( 2024-07-11 18:17:25 +0000 )edit

I'm puzzled by the exact same IP-addresses in your network. Are they really the same as the ones from the original poster?

What does stand out is that the length of the text representation of is 4 characters longer than the text representation of This raises the question whether there is any ALG involved that might mess up the sequence numbers due to a bug in the ALG?

Also I'm confused of the IP addresses, I assumed the traffic was -> before the NAT (which I assume is done on the firewall) and -> after NAT has taken place, but your text seems to state the opposite.

As answered already, pcap files of the traffic on both sides of the ...(more)

SYN-bit gravatar imageSYN-bit ( 2024-07-12 05:43:57 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2024-07-08 01:31:11 +0000

Seen: 61 times

Last updated: 13 hours ago