Hi,
I am implementing "TCP segment not captured" analysis flag (aka Wireshark display filter "tcp.analysis.lost_segment") in my application.
With this PCAP file I get a false positive with frame #15328. In Wireshark there is no analysis flag set for this frame. But I would expect a "TCP previous segment not captured" with this.
Can somebody explain why frame #15328 shall have no "TCP previous segment not captured"?
The previous frame in the same direction (#15327) got the analysis flag "TCP Retransmission" and therefore it is not considered to set the "Next expected sequence number", which is then relevant for frame #15328.
from https://www.wireshark.org/docs/wsug_html/ Next expected sequence number: The last-seen sequence number plus segment length. Set when there are no analysis flags and and for zero window probes. This is initially zero and calculated based on the previous packet in the same TCP flow. Note that this may not be the same as the tcp.nxtseq protocol field.
Any idea? Thank you!
