A, WireShar tips summary
1、Packet size limited during capture
Labeled full package is not caught, the description refers to the gripping portion of the data packet, such as a packet of 100 bytes, but may only fetch 52 bytes to the front. This generally does not occur when using the direct capture wireshark in length using tcpdump capture default is 96 bytes, if longer than this time to catch up, but at the time of capture by the parameter -s modified. For example: tcpdump -i eth0 -s 1000 -w /tmp/tcpdump.cap this instruction is to fetch a packet network interface eth0, and capture by modifying -s size is 1000 bytes, and the data fetch cap package to save the file as early as /tmp/tcpdump.cap file.
2、TCP Previous segment not captured
When using wireshark capture if the TCP packet is captured, the data segment is issued with a host should be continuous, i.e., after a number equal to the previous packet of Seq a packet seq + Len. If present in the captured data packets in a packet before a packet number is greater than Seq of seq + Len. So in the middle is missing some data, this time wireshark will issue this prompt.
3、TCP ACKed unseen segment
This tip is most common in wireshark tips, but this can be ignored. This prompted mean WireShark found to be in an ACK packet that has not been caught, but this tip is often ignored it.
4、TCP out-of-order
This prompted a second similar prompt, data segments emanating from the same host should be continuous, i.e., after a number equal to the previous packet of Seq a packet seq + Len. If seq Seq before a packet number is smaller than the packet appears in a captured packet + Len, this situation indicates that the packet out of order.
5, the TCP ACK Dup
When the packet loss or scrambled, the receiver will receive some number larger than expected Seq package, such that each receives an Ack packet will Seq a desired value, in order to alert the other side, thus a Some duplicate ACK, WIreShark case marked as such in the TCP Dup ACK duplicate Ack.
6, after [make]
