Revision history  [back]

The TCP analysis "error" message TCP ACKed unseen segment means Wireshark saw an ACK for a data segment that it did not see. And TCP Previous segment not captured means it sees a data segment that does not neatly come after the previously seen data segment.

As Wireshark is not one of the endpoints, there can be packets missing in the data stream towards Wireshark, even though the two endpoints do get to see all the packets. This is the case in your tracefile. You can deduct this from the fact that there are no retransmissions of the segments that are not seen by Wireshark. If one of the endpoints was missing the segments, it would send duplicate acks and the sender would retransmit.

So, something in your capture setup is not functioning well. From the capture file properties, I see no "Packet discards", this means all the packets that were received and filtered by WinPcap/Npcap were written to disk. So there was no disk IO problem that prevented part of the packet stream to be saved to disk.

Then you have a capture filter applied even though you stated there were no other systems on the network. This is a little contradictory. Why use a capture filter if there are no other systems on the network. My guess is that there were indeed other systems and the capture port might have been overloaded (please remember that mirroring one 1Gbit/s port full-duplex may result in a 2 Gbit/s data stream to the analyser port, which will start discarding packets). I see you used a SharkTap. I just lookup up their specs and there are several models. The USB model will limit data-transfers to the host to about 300-400 Mbit/s. So maybe the TAP was overloaded? Please be aware that the BPF capture filtering takes place on the capturing host, not on the TAP.

Can you please describe you capture setup, all other systems on the network, etc in more detail if the above information does not provide enough info to solve your capture issue?