Wireshark-users: Re: [Wireshark-users] Regarding TCP Previous Segment Lost

From: Prigge Scott <PriggeScottM@xxxxxxxxxxxxx>
Date: Tue, 20 Mar 2012 12:24:39 -0500

Ø  the highlighted packets are occurring in a stream that they do not appear to correspond to?

 

Hi. Are you certain they are occurring in the same Wireshark stream? Your spreadsheet doesn't include the stream number, and you didn't provide your display filter. They sure do look like different streams to me, but it's difficult to be definitive without a little more info. If they are in fact different streams, then I think you can safely filter out the stream with the retransmissions. But if they are the same stream, then something weird is definitely going on.

 

On a related note, I have found it to be very helpful to add a custom column I named "Stream", with a Field Type of "Custom" and Field Name of "tcp.stream". I moved that column to the very left of the window, and I find myself glancing at it quite often to make sure I am focused on the right TCP conversation without needing to define a cumbersome filter (e.g. "tcp.stream == 3").

 

Scott