Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2024-07-08 01:31:11 +0000

n00b_shark gravatar image

Repetitive issue: TCP Previous Segment was not captured

Hi There,

I am seeing below pattern repeated in my Wireshark capture. On checking further I see weird message

"[4 bytes missing in capture file].<nminterface version="1"><nmrtrace><entry srcip="172.16.203.144" srcport="15000" tgtip="10.13.2.3" tgtport="15000" sts="nmsFail" err="Error Connecting To 10.13.2.3:15000 [Connect timed out.]"/></nmrtrace></nminterface>"

My traffic flow is Source 10.11.96.19 Destination NAT IP 10.13.2.3 Destination IP 172.16.203.144 and in reverse.

Giving all the details for full context.

While i understand there might be some packet loss, resulting in message "TCP Previous Segment was not captured" , but why does it keep repeating in similar fashion across my whole packet capture. Why no SYN or SYN ACK or ACK is ever lost? Also if i capture on source side firewall , or destination side firewall, this message remains constant.

1 2024-07-08 12:51:02.951773 10.11.96.19 172.16.203.144 TCP 74 0 45284 → 15000 [SYN] Seq=0 Win=8192 Len=0 MSS=1452 WS=1 TSval=1863682500 TSecr=0

2 2024-07-08 12:51:02.952743 172.16.203.144 10.11.96.19 TCP 62 0 15000 → 45284 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256

3 2024-07-08 12:51:02.953073 10.11.96.19 172.16.203.144 TCP 54 0 45284 → 15000 [ACK] Seq=1 Ack=1 Win=8192 Len=0

4 2024-07-08 12:51:13.972103 172.16.203.144 10.11.96.19 TCP 310 256 [TCP ACKed unseen segment] [TCP Previous segment not captured] 15000 → 45284 [FIN, PSH, ACK] Seq=5 Ack=189 Win=2102272 Len=256

5 2024-07-08 12:51:13.979024 10.11.96.19 172.16.203.144 TCP 54 0 [TCP ACKed unseen segment] [TCP Previous segment not captured] 45284 → 15000 [FIN, PSH, ACK] Seq=189 Ack=262 Win=8192 Len=0

Apologies if its a dumb question or not relevant to wireshark.

Thanks in advance.

click to hide/show revision 2
None

updated 2024-07-08 07:41:26 +0000

SYN-bit gravatar image

Repetitive issue: TCP Previous Segment was not captured

Hi There,

I am seeing below pattern repeated in my Wireshark capture. On checking further I see weird message

"[4 bytes missing in capture file].<nminterface version="1"><nmrtrace><entry srcip="172.16.203.144" srcport="15000" tgtip="10.13.2.3" tgtport="15000" file].<?xml version="1.0" encoding="UTF-8"?><nmInterface version="1"><nmrTrace><entry srcIp="172.16.203.144" srcPort="15000" tgtIp="10.13.2.3" tgtPort="15000" sts="nmsFail" err="Error Connecting To 10.13.2.3:15000 [Connect timed out.]"/></nmrtrace></nminterface>"
out.]"/></nmrTrace></nmInterface>"

My traffic flow is Source 10.11.96.19 Destination NAT IP 10.13.2.3 Destination IP 172.16.203.144 and in reverse.

Giving all the details for full context.

While i understand there might be some packet loss, resulting in message "TCP Previous Segment was not captured" , but why does it keep repeating in similar fashion across my whole packet capture. Why no SYN or SYN ACK or ACK is ever lost? Also if i capture on source side firewall , or destination side firewall, this message remains constant. 

 1  2024-07-08 12:51:02.951773  10.11.96.19 172.16.203.144  TCP 74  0   45284 → 15000 [SYN] Seq=0 Win=8192 Len=0 MSS=1452 WS=1 TSval=1863682500 TSecr=0
 
TSecr=0

2   2024-07-08 12:51:02.952743  172.16.203.144  10.11.96.19 TCP 62  0   15000 → 45284 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256
 
WS=256

3   2024-07-08 12:51:02.953073  10.11.96.19 172.16.203.144  TCP 54  0   45284 → 15000 [ACK] Seq=1 Ack=1 Win=8192 Len=0
 
Len=0

4   2024-07-08 12:51:13.972103  172.16.203.144  10.11.96.19 TCP 310 256 [TCP ACKed unseen segment] [TCP Previous segment not captured] 15000 → 45284 [FIN, PSH, ACK] Seq=5 Ack=189 Win=2102272 Len=256
 
Len=256

5   2024-07-08 12:51:13.979024  10.11.96.19 172.16.203.144  TCP 54  0   [TCP ACKed unseen segment] [TCP Previous segment not captured] 45284 → 15000 [FIN, PSH, ACK] Seq=189 Ack=262 Win=8192 Len=0
Len=0

Apologies if its a dumb question or not relevant to wireshark.

Thanks in advance. advance.