Hi Luke,
On Fri, Jun 01, 2018 at 02:47:06AM +0000, luke devon via Wireshark-users wrote:
> While analysing the captured pcap in wireshark ,I have found significant occurrences of following messages. There is noextra hops in between the switch and particular server where I am capturing thetraces using dumpcap. As I checked, I don’t see any packet TX/RX failures in the server’s network interfaces.
>
> May I know what could be the root cause and howcan I fix it ?
>
> ACKed segment that wasn't captured (common at capture start)
> Previous segment(s) not captured (common at capture start)
This message could occur for at several reasons:
- A capture was started while a connection was already established. Fix:
start a capture before opening the application/connection.
- The capture device could not keep up with the number of packets and
started dropping packets. This is not the same as TX/RX issues.
Packets could still be transmitted/received fine, but dropped during
the live capture. You can try to set capture filters (e.g. "port 53")
for the traffic you are interested in.
- If the packets go through the public Internet, packet reordering might
occur. You'll likely see "Out-of-Order" or "Retransmission" notes
following the affected segments. There is not much to do from a
network POV, this is pretty common. If you are analyzing application
layer traffic, note that such behavior might break reassembly. In the
next version of Wireshark (2.9/3.x), there will be a TCP preference
that can be enabled to enable reassembly:
https://www.wireshark.org/docs/wsug_html_chunked/ChAdvReassemblySection.html#ChAdvReassemblyTcp
When troubleshooting, it can be beneficial to add a column for
"tcp.stream" (or just apply a display filter for it). That way, you can
focus on one connection. E.g. the first reason above should only be
visible in the begin of a stream and should not occur later in a stream.
Hope it helps.
--
Kind regards,
Peter Wu
https://lekensteyn.nl