Wireshark-users: Re: [Wireshark-users] ACKed segment that wasn't captured
From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Tue, 17 Jul 2018 11:24:45 +0200
Hi Luke,

On Fri, Jun 01, 2018 at 02:47:06AM +0000, luke devon via Wireshark-users wrote:
> While analysing the captured pcap in wireshark ,I have found significant occurrences of following messages. There is noextra hops in between the switch and particular server where I am capturing thetraces using dumpcap. As I checked, I don’t see any packet TX/RX failures  in the server’s network interfaces.
> 
> May I know what could be the root cause and howcan I fix it ?
> 
> ACKed segment that wasn't captured (common at capture start)
> Previous segment(s) not captured (common at capture start)

This message could occur for at several reasons:

- A capture was started while a connection was already established. Fix:
  start a capture before opening the application/connection.

- The capture device could not keep up with the number of packets and
  started dropping packets. This is not the same as TX/RX issues.
  Packets could still be transmitted/received fine, but dropped during
  the live capture. You can try to set capture filters (e.g. "port 53")
  for the traffic you are interested in.

- If the packets go through the public Internet, packet reordering might
  occur. You'll likely see "Out-of-Order" or "Retransmission" notes
  following the affected segments. There is not much to do from a
  network POV, this is pretty common. If you are analyzing application
  layer traffic, note that such behavior might break reassembly. In the
  next version of Wireshark (2.9/3.x), there will be a TCP preference
  that can be enabled to enable reassembly:
  https://www.wireshark.org/docs/wsug_html_chunked/ChAdvReassemblySection.html#ChAdvReassemblyTcp

When troubleshooting, it can be beneficial to add a column for
"tcp.stream" (or just apply a display filter for it). That way, you can
focus on one connection. E.g. the first reason above should only be
visible in the begin of a stream and should not occur later in a stream.

Hope it helps.
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl