Wireshark-users: Re: [Wireshark-users] 32768 bytes missing in capture file

From: Sake Blok <sake@xxxxxxxxxx>
Date: Tue, 13 May 2008 20:04:09 +0200
First of all, could you please choose to send mails with html *and*
ascii, yes some of us do still read mail with non-html readers :-)


On Sat, May 10, 2008 at 12:04:21AM -0700, Deepti Kumar wrote:

> After the file transfer when i right click and see "Follow TCP Stream" 
> and see the number of bytes exchanged, it is less than 11MB(no of 
> bytes actually that should have been exchanged). I check the data in 
> the display window of  "Follow TCP Stream" and see that there are some 
> bytes missing:
> 
> >32768 bytes missing in capture file
> >[-32768 bytes missing in capture file]
> >[16384 bytes missing in capture file]
> 
> My question is 
> (1) why has wireshark not captured these files? (Note: The download 
> gives me the complete file)

When the text "[xxx bytes missing in capture file]" appear in the
follow TCP stream output, it means that Wireshark is not able to
reassemble all the TCP fragments resulting in gaps within the TCP
stream. This can happen when the capturing device was not able to
capture all traffic to disk during the capture. In that case all
packets were indeed on the wire (hence the complete download), but
not all data is in the capture file (hence the XXX bytes missing
messages).


> (2) What are these negative values?

That should not happen. I think there might be a bug in the code 
that displays these messages, could you please open a bug report on
http://bugs.wireshark.org and attach the capture file that shows
this behavior? I will try to have a look at it when time permits :-)

Thanks!
Cheers,
    Sake