[Jeff Morriss <jeff.morriss@xxxxxxxxxxx>]

Michael Tuexen wrote:
> Yes, you are right. I mixed the stuff up. So the right place would be  
> the dissector.
>
> Jeff, so do you think that it would be useful?

Yes, in fact that's exactly what I am looking for...  I have a capture 
file with so many retransmissions and duplicate SACKs that it makes my 
head spin--especially when I try to sort out the mess.  (Of course, it 
also made Ethereal crash in the TSN graph stuff--thus bug #280.  ;-))

Regarding your (Michael's) multi-homing question: I agree that this 
could be an issue, but analyzing at least what's in the capture file we 
have would be a start.  And by using Linux (capture on "all" devices) or 
'mergecap' we can get all the packets in one file for analysis if 
need-be.  This assumes, of course, that the analysis stuff could/would 
track the associations by Vtag and not just by the IP addresses in the 
current packet.

Regards,
-Jeff

> > Michael Tuexen wrote:
> >
> >
> > > But I think (maybe I'm wrong) is that the sequence number  analysis  
> > > was developed earlier than the tap stuff.
> > > And the other thing is that the sequence number stuff is not link   
> > > layer independent like it would be it
> > > it done via taps.
> >
> > To which sequence number analysis are you referring?
> >
> > I was referring to the analysis the results of which show up in the  
> > protocol tree, which is the one that detects retransmissions,  
> > duplicate ACKs, etc.; that code is link-layer independent, as it's  
> > done in the dissector.
> >
> > It sounds as if you're talking about the TCP graphs, which aren't  
> > link-layer independent (and which should be redone as a tap to make  
> > it link-layer independent).