What is the best way to find out what is causing TCP acked unseen segment.

edit

TCP Acked Unseen segment is Wiresharks way of informing you that in the capture you see ACKs for packets that were not seen by Wireshark i.e. they are not in the capture, but the data has been received by the sender of the ACKs.

The typical cause for this is a poor capture. I'd guess that the server where you're capturing is not capable of capturing all packets to/from the server.

Provided you can do the capture yourself, you can try to use capture filters, packet truncation or other ways of lowering the amount of data you must capture.

Then I'm sure these false positives will disappear.

I have brand new experience what this may mean alike - a server responds over different interface than one would expect/desire.

Imagine you have 2 subnets. X and Y. Client is on the Y, our VMWARE ESXI server on both due to vmkernel NICs on each. Client tries to reach server on its X address (instead of directly at Y), however server responds, due to flat routing stack, over its Y interface because client (flow source IP@) is right there ==> routing asymmetry. Simply only explanation to me how it detects and displays that message is that TCP SYN-ACK response comes from different MAC@ than initial SYN has as destination (Y subnet gateway).

We came to this by accident of one guy doing GUI HTTPS access, my central wireshark and even vmk0 (X subnet) dumps showing just cycles of client's SYN and RST packets, then finally client's wireshark showed this "unseen" segment and tracing back MAC@ withing infra got us to vmk1 server interface. Rather logical behavior, routers do exhibit the same. Easiest solution for guy was to access ESXI directly for Y subnet and fix our DNS infra with both IPs for ESXI server so DNS response would fit anybody accessing the server by name.