Wireshark-users: Re: [Wireshark-users] Question about "TCP previous segment lost" in LAN

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 04 Jun 2008 10:48:39 -0700
Xu nanxuan wrote:
I set up a LAN as the test Environment, including one FTP server and one client and no other net conmmunication resources(So I think it should be a "clean" net env.).However, when I download a file from the server, there are still lots of packets which info are "TCP previous segment lost".

There is no guarantee that the machine capturing network traffic will capture every single packet on the network; if packets arrive too fast for the program capturing the traffic to handle, packets might be dropped.

1. What's the reason about this?

Perhaps packets are getting dropped in the capture process.

2. I also find an interesing phenomenon: the "Tcp previous segment lost" packet appears about every 100ms (Both the server and client are Windows OS).

Perhaps every 100 ms something is happening on the machine doing the capturing that takes enough CPU time, or disk bandwidth, or network bandwidth, or..., so that packets are dropped in the capture process.

Are you doing an "Update list of packets in real time" capture with Wireshark? If not, try not doing so - turning off "Update list of packets in real time" will significantly reduce the amount of CPU time and bus bandwidth required by Wireshark while capturing.

Are you using a capture filter that discards as much of the traffic you're not interested in as possible? If not, try doing so - that'll reduce the amount of traffic passed to the capture mechanism, so that the capture mechanism, and Wireshark/TShark/dumpcap, won't have to handle as much traffic, and might be less likely to drop packets.

What operating system is the host doing the capturing running?

See also the "Packet drops while capturing" section of

	http://wiki.wireshark.org/Performance