Wireshark-users: Re: [Wireshark-users] Question about "TCP previous segment lost" in LAN
From: Guy Harris <[email protected]>
Date: Wed, 04 Jun 2008 10:48:39 -0700
Xu nanxuan wrote:
I set up a LAN as the test Environment, including one FTP server and one client and no other net conmmunication resources(So I think it should be a "clean" net env.).However, when I download a file from the server, there are still lots of packets which info are "TCP previous segment lost".
There is no guarantee that the machine capturing network traffic will 
capture every single packet on the network; if packets arrive too fast 
for the program capturing the traffic to handle, packets might be dropped.
1. What's the reason about this?
Perhaps packets are getting dropped in the capture process.

2. I also find an interesing phenomenon: the "Tcp previous segment lost" packet appears about every 100ms (Both the server and client are Windows OS).
Perhaps every 100 ms something is happening on the machine doing the 
capturing that takes enough CPU time, or disk bandwidth, or network 
bandwidth, or..., so that packets are dropped in the capture process.
Are you doing an "Update list of packets in real time" capture with 
Wireshark?  If not, try not doing so - turning off "Update list of 
packets in real time" will significantly reduce the amount of CPU time 
and bus bandwidth required by Wireshark while capturing.
Are you using a capture filter that discards as much of the traffic 
you're not interested in as possible?  If not, try doing so - that'll 
reduce the amount of traffic passed to the capture mechanism, so that 
the capture mechanism, and Wireshark/TShark/dumpcap, won't have to 
handle as much traffic, and might be less likely to drop packets.
What operating system is the host doing the capturing running?

See also the "Packet drops while capturing" section of