Hi, I am testing network problem. I see lots of messages "TCP previous segment not captured" in wireshark. It seems payload size is changed (more in detail, reduced). In this case, how does wireshark detect "TCP previous segment not captured" ? Maybe I guess that wireshark uses sequence number and some other header information. Thanks for the help in advance. Danny asked 02 May '14, 08:30  danny |
One Answer:
The TCP expert module of Wireshark tracks sequence numbers for each TCP connection and detects gaps, meaning that there are TCP segments missing or out-of-order. "TCP previous segment not captured" means that a gap was detected, either because the packet was lost on the way from sender to receiver, or that the capture device recording the packets wasn't fast enough to deal with the incoming flood of packets. Check if you see "TCP ACKed unseen segment" messages as well - if you do, you're most likely having capture performance problems and need to get a better (=faster) capture device when recording packets. answered 02 May '14, 08:44  Jasper ♦♦ |
