TCP previous segment lost

Question

From this tcpdump&nbsp;
 &nbsp;
12.12.12.12 is ip client , 100.100.100.13 is ip Virtual server &nbsp;
 &nbsp;
12.12.12.12   100.100.100.13      TCP 66          4204 &gt; http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1&nbsp;
100.100.100.13   12.12.12.12     TCP 66          http &gt; 4204 [SYN, ACK] Seq=0 Ack=1 Win=4380 Len=0 MSS=1460 SACK_PERM=1&nbsp;
12.12.12.12   100.100.100.13     TCP 64         4204 &gt; http [ACK] Seq=1 Ack=1 Win=65535 Len=0&nbsp;
12.12.12.12    100.100.100.13     HTTP 124             POST /WSCDS/services/WSCDS?wsdl HTTP/1.1 [Packet size limited during capture]&nbsp;
12.12.12.12    100.100.100.13     HTTP 124           [TCP Previous segment lost] Continuation or non-HTTP traffic[Packet size limited during capture]&nbsp;
100.100.100.13   12.12.12.12     TCP 60           [TCP ACKed lost segment] http &gt; 4204 [ACK] Seq=1 Ack=2049 Win=6428 Len=0&nbsp;
12.12.12.12    100.100.100.13     HTTP 124        Continuation or non-HTTP traffic[Packet size limited during capture]&nbsp;
100.100.100.13   12.12.12.12    TCP 60             [TCP ACKed lost segment] http &gt; 4204 [ACK] Seq=1 Ack=2479 Win=6858 Len=0&nbsp;
 &nbsp;
what the meaning  and  what cause of TCP Previous segment lost ?&nbsp;
 &nbsp;
thank you&nbsp;

nitass · Answer

what the meaning  and  what cause of TCP Previous segment lost ?TCP Analyze Sequence Numbers 
&nbsp; http://wiki.wireshark.org/TCP_Analyze_Sequence_Numbers

kridsana · Answer

yeah ,and from tcpdump above.  Problem is shown TCP previous segment lost but not retransmit.  
&nbsp; can i send you tcpdump file or would you see it in websupport?

giltjr · Answer

Was this at the beginning/start of a capture?  Wireshark will mark a segment as missing if it receives a ACK for something it did not see.  This is a common occurrence when first staring a tcpdump. 
&nbsp;  
&nbsp; Packet is sent  
&nbsp; tcpdump is started 
&nbsp; ACK is seen.

kridsana · Answer

Was this at the beginning/start of a capture? Wireshark will mark a segment as missing if it receives a ACK for something it did not see. This is a common occurrence when first staring a tcpdump. 
&nbsp;   
&nbsp;  
&nbsp; no, it's just begining of tcp stream , handshake + send packet.  and wireshark mark previous segment lost when a packet arrives with a sequence number greater than the "next expected sequence number" on that connection. but no retransmit happen.

giltjr · Answer

Was the tcpdump done on the F5?  If so do you have LACP setup on a couple interfaces?  Did you run tcpdump capturing both interfaces? 
&nbsp;  
&nbsp; I am assuming that the F5 is not so busy that it might be dropping packets during the capture. &nbsp;

Forum Discussion

TCP previous segment lost

5 Replies

Jonathan - March 2026 Featured Member

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

2026 F5 DevCentral MVP Announcement

Recent Discussions

ASM/AWAF declarative policy

F5 DNS Logs in JSON Format

Geo location update

Help with an iRule to disconnect active connections to Pool Members that are "offline"

block a specific user

Related Content

Simplify Network Segmentation for Hybrid Cloud

Simplifying and Securing Network Segmentation with F5 Distributed Cloud and Nutanix Flow

Network segmentation in an AWS VPC

F5 BIG-IP Bot Defense - Previous Request and Follow Up Request

Lost in Translation...in Italy

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS