I have a number of captures within which the Wireshark
expert indicates hundreds of TCP Previous Segment Lost and TCP ACKed Lost
Segment warnings. This is reflected both within the decode window on the
packet Info as well as in the Expert Info dialog boxes. A cursory review
of the TCP data seems to confirm that the sequence numbers are
correct.
I have found that going into preferences and toggling (both
on-to-off and off-to-on) Relative Sequence Number and Window Scaling removes
the expert info warnings. Reopening the file recreates the warnings
until toggling again.
I also found that saving an affected TCP stream out of the
capture into its own cap file will cause Wireshark not to issue the
warnings.
The capture does include the initial three way handshake of
the TCP stream in question. I have no reason to think any packets are
not being captured, and the capture is being taken on a dedicated sniffer box
with dedicated sniffing NICs on a mirrored switchport. The complete
capture is around 8MB. I am using Wireshark 1.2.5 (SVN Rev
31296).
Are there any bugs related to this? Any other helpful
suggestions?
Thanks,
Sean
