I see that wireshark is flagging below packets as tcp acked uncseen segements in e.g. packet 50, 56, 62. But why? If I look that the pervious packets 49, 55 and 61 the ack, seq number, next seq number and segment len are all in harmony as far as I can tell. I don't see that 10.84.4.57 is acknowledging data that isn't in the trace. One thing perhaps is that 10.73.204.211 is using TSO/offloading and therefore wireshark might know that there should been two or more packets. But if Wireshark does know that then look at packet 79/80. There I see a similar exchange of packets as in 49/50, 55/56, 61/62 but here there is no need for TSO as the packet contains only 645 bytes and still 62 is flagged as ack of unseen segment. Also look at 69/70 there same exchange as in 9/50, 55/56, 61/62 and here also a big packet which will be two on the wire but here wireshark does not flag it as tcp acked unseen segment.
So what is the rule for wireshark to come to the conclusion a tcp acked unseen segment.
