Joe Kuan wrote:
Hi all,
I have tried to analyse some of the capture files and noticed that
there were 'TCP Previous Segment Lost'. If so, how come I can still
see the data part of the lost segment. I would expect to see all 0x00
in the data part or partial data there. Am I missing something?
I am using Wireshark 1.2 on Mac OS X.
There are a couple of reasons why wirshark will report this. It's
really up to you to figure the "real" problem.
As others have already mentioned, missing segment means that some chunk
of the TCP transmission went missing.
It can also mean that the packet arrived out of order because some
transit equipment buffered it. For example, if there were two equal
cost parallel links along the path, and per packet load balancing was
enabled, the "smaller" packet could arrive before the "bigger" packet
due to some delay (buffer, serialization, or propagation). So if the
packet train left in this order: (pkt#/size)
sender -> receiver
4/100 -> 3/1460 -> 2/1460-> 1/1460
it's possible that packet 4(one hundred bytes) could arrive before
packet 3.
In this case, wireshark would flag "missing segment" due to the out of
order arrival of the packets.
Another reasons is if the span port (mirror port) drops the packets. In
this case, the packet loss was not real as far as the sender/receiver is
concerned. Only the analyzer missed the packet. One way to rule this
out is to see if the packet was retransmitted somewhere down the road.
It's a simple question, but as with most protocol analysis questions,
the answer isn't so simple! :)
--
Thanks,
Hansang