Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-users: Re: [Wireshark-users] Question Regarding Suspected TCP Expert Problem

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: "Sake Blok" <sake@xxxxxxxxxx>
Date: Thu, 7 Jan 2010 17:09:40 +0100

Sean,
 
I have not encountered this before, but the behavior should be consistent between loading files and turning things off and on again (why does "The IT crowd" pop up in my head now ;-)).
 
Would it be possible for you to share the file so I could have a look? You can open a bug at bugs.wireshark.org and attach the file or send it directly to me if you don't want it on a public website.
 
Cheers,
 
 
Sake
 
----- Original Message -----
From: Fischer, Sean
To: wireshark-users@xxxxxxxxxxxxx
Sent: Wednesday, January 06, 2010 6:40 PM
Subject: [Wireshark-users] Question Regarding Suspected TCP Expert Problem

I have a number of captures within which the Wireshark expert indicates hundreds of TCP Previous Segment Lost and TCP ACKed Lost Segment warnings.  This is reflected both within the decode window on the packet Info as well as in the Expert Info dialog boxes.  A cursory review of the TCP data seems to confirm that the sequence numbers are correct.

 

I have found that going into preferences and toggling (both on-to-off and off-to-on) Relative Sequence Number and Window Scaling removes the expert info warnings.  Reopening the file recreates the warnings until toggling again.

 

I also found that saving an affected TCP stream out of the capture into its own cap file will cause Wireshark not to issue the warnings.

 

The capture does include the initial three way handshake of the TCP stream in question.  I have no reason to think any packets are not being captured, and the capture is being taken on a dedicated sniffer box with dedicated sniffing NICs on a mirrored switchport.  The complete capture is around 8MB.  I am using Wireshark 1.2.5 (SVN Rev 31296).

 

Are there any bugs related to this?  Any other helpful suggestions?

 

Thanks,

 

Sean

 

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
  • References:
    • [Wireshark-users] Question Regarding Suspected TCP Expert Problem
      • From: Fischer, Sean
  • Prev by Date: [Wireshark-users] Filter by size then export
  • Next by Date: Re: [Wireshark-users] tshark packets droppped
  • Previous by thread: [Wireshark-users] Question Regarding Suspected TCP Expert Problem
  • Next by thread: [Wireshark-users] Promiscuous mode on MacBook Pro
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation