Ethereal-dev: Re: [Ethereal-dev] TCP reassembly retransmission/overlap flags

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Ronnie Sahlberg" <sahlberg@xxxxxxxxxxxxxxxx>
Date: Tue, 23 Jul 2002 05:38:56 +1000
Hi,

You can find retransmissions by looking at the Tools/TCP Stream Analysis
and study how the sequence numbers change.
Its not a good solution to spot retransmissions but its better than nothing.


I have attached a small patch I started working on a week ago but never got
time to finish which will
flag retransmitted TCP segments with "[Retransmitted TCP]" in the info
column as well as setting a boolean
you can search for in the display filters. You can look at that one.

It basically offers an option you can enable and which will remember state
for each TCP conversation on
which was the highest seen sequence number in each direction and when a new
segment is seen with a
lower sequence number that has previously been seen it will flag it as a
retransmission.
There are at least two things that must be added before it can be ready for
CVS:
1, it does not handle sequence number wrap yet.
2, it SHOULD also remember the frame number and timestamp for the packets so
it can compare it with
the ACKs in the other directionso it can also display a rudimentary RTT
number for the segments.

---
1 should be fairly easy to fix.
2 is a bit more work since it would require not only remembering the right
edge of the window for all conversations but ALL unacked segments in the
window. I.e instead of currently only remembering the right edge
we must keep alist of all unacked segments with timestamps between left and
right edge of the window.

2 is definitely the way to go since this gives us not only detection of
retramsnissions but also much more
useful data like RTT for the TCP session. 2 would also give us the ability
to filter on things like
"unusual" spikes in the TCP RTT which would be very useful.

something like this in the tree pane:
This segment was ACKed in frame: 57
RTT until this segment was ACKed was: 0.00346345 seconds


My personal opinion is that the patch should not go in until it can do 2.


Please feel free to test and build on the patch if you want to. I wont have
time myself to refine it
for quite some time. If you can add 2 to it, you are a hero.

best regards
    ronnie sahlberg


----- Original Message -----
From: "Joerg Mayer"
Sent: Monday, July 22, 2002 8:12 PM
Subject: [Ethereal-dev] TCP reassembly retransmission/overlap flags


> Hello,
>
> I need to detect retransmissions in TCP streams. It doesn't look like
> they are currently detected in a manner filterable by the user. Any ideas
> what I need to do to implement it?
>
>  thanks
>            JÖrg
> --

Attachment: tcp-retransmission.diff
Description: Binary data