I have a number of captures within which the Wireshark
expert indicates hundreds of TCP Previous Segment Lost and TCP ACKed Lost Segment
warnings. This is reflected both within the decode window on the packet Info
as well as in the Expert Info dialog boxes. A cursory review of the TCP
data seems to confirm that the sequence numbers are correct.
I have found that going into preferences and toggling (both
on-to-off and off-to-on) Relative Sequence Number and Window Scaling removes
the expert info warnings. Reopening the file recreates the warnings until
toggling again.
I also found that saving an affected TCP stream out of the
capture into its own cap file will cause Wireshark not to issue the warnings.
The capture does include the initial three way handshake of
the TCP stream in question. I have no reason to think any packets are not
being captured, and the capture is being taken on a dedicated sniffer box with
dedicated sniffing NICs on a mirrored switchport. The complete capture is
around 8MB. I am using Wireshark 1.2.5 (SVN Rev 31296).
Are there any bugs related to this? Any other helpful
suggestions?
Thanks,
Sean
