Ethereal-dev: Re: [Ethereal-dev] TCP reassembly retransmission/overlap flags

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Ronnie Sahlberg" <sahlberg@xxxxxxxxxxxxxxxx>
Date: Tue, 23 Jul 2002 18:38:48 +1000
Ok.
I have given it some thoughts and unless Joerg wants to do this himself I
can set aside the other projects-ideas for a while and rewrite my first test
implementation i
posted earlier to be a proper implementation.

Something like two options:
1, TCP SEQ/ACK stateful analysis
2, Use relative SEQ numbers (requires 1)

1,
The SEQ/ACK analysis would keep state for every conversation for all unacked
segments
in the window and whenever a segment that is out of order is seen it would
prepend
"[Out of order TCP]" if the segment is right of the current right edge and
"[Retransmitted TCP]" if the segment is left of the right edge.
Everytime the left edge of the window would advance due to an ACK
this would also add the following two new fields in the TCP tree pane :
ACKs segment in frame: 57
RTT from segment in frame 57: 0.0237 seconds

2,
This option is obvious, if possible it translates the SEQ numbers to ones
relative to the start of the conversation.
This would either be based on when ethereal saw the SYN packets or when
ethereal saw the first available
packet in the conversation.

As always, these options would need state consume lots of memory and be
disabled by default.
(one more step for ethereal into real good stateful analysis and away from
stateless network monitoring or capture ability)

Give me a day or two to see what i can come up with.
I dont plan initially to even try to do anything about SACK. It could
possibly be added at a later time by someone motivated enough or someone
that can motivate me to do it.


Until that time the options for Joerg and others are either to use the patch
in my previous post
(which should NOT go in CVS) or perhaps the TCP Stream Analysis/RTT Graph

----- Original Message -----
From: "Guy Harris"
Sent: Tuesday, July 23, 2002 6:16 AM
Subject: Re: [Ethereal-dev] TCP reassembly retransmission/overlap flags


> On Tue, Jul 23, 2002 at 05:38:56AM +1000, Ronnie Sahlberg wrote:
> > It basically offers an option you can enable and which will remember
state
> > for each TCP conversation
>
> That could also allow Ethereal to display relative sequence numbers for
> TCP segments (that's what tcpdump does by default; the "-S" flag makes
> it display the absolute sequence number that appears in the packet -
> note that without "-S", tcpdump can run out of memory when dissecting,
> say, a trace of an attack by somebody spewing SYNs, so there are reasons
> why you might want to disable the option in Ethereal/Tethereal in some
> cases).