Comment # 3
on bug 9875
from Hadriel Kaplan
Right, so look at frame #32 in the file you uploaded. It says "Expert Info
(Warn/Sequence): Previous segment not captured (common at capture start)". I
wouldn't be surprised to see this at the start, but this isn't the start of the
TCP stream even in this capture file - we have the previous segments, and in
fact the TLS dissector re-acquired the parsing at frame #31 right before it.
(the one that shows a lot of "Application Data" messages)
It's possible your device is using SACK and will re-transmit that missing
segment later, but it doesn't look like it. And frame #34 shows it ACKing the
next segment, and thus prints another expert warning that the acknowledged
sequence number is beyond the missing segment (i.e., that the pcap file doesn't
have that missing segment)
Can you look back in your original capture file and see if you see the same
thing?
This would be frame #50041 in your original file, I think.
So basically this means your original capture missed some packets (i.e.,
dropped them instead of capturing them). Because of that, the TLS dissector
has to guess for the next segments it sees that the message starts on the TCP
segment boundary - and it guessed wrong.
But that's not really a bug in wireshark. Wireshark gets its captures from
dumpcap, and it can't always keep up with the speed of packets on-the-wire.
When you captured this originally, it should have shown a "dropped packets"
number at the bottom of the GUI window.
You are receiving this mail because:
- You are watching all bug changes.
