Ethereal-dev: Re: [Ethereal-dev] TCP and SCTP sequence analysis code

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Jeff Morriss <jeff.morriss@xxxxxxxxxxx>
Date: Wed, 10 May 2006 18:09:07 +0800

[Resending since my first attempt died a horrible SMTP-server-not-relaying-for-ethereal.com death.]

Hi Michael,

I guess that's true that this goes hand-in-hand with reassembly.  :-)

In terms of finding all the packets, I've usually had 2 cases: 1) where
I'm seeing retransmissions in a single capture file and 2) where I've
got 2 capture files that might have retransmissions.  For (2) I usually
use 'mergecap' to make one file and go from there.  But (1) usually
trips me up more because, when looking at/for higher layer problems, I
tend to skip details like verifying the peer is actually sacking us in a
timely manner--so a color filter would be useful to bring the
retransmissions to my attention.

Regards,
-Jeff

Michael Tuexen wrote:
Hi Jeff,

one of the problems is that you need all packets on the trace. Since SCTP
supports multihoming, this might be more difficult to achieve.

It is also harder to find associations... The graphical analysis tool
does this based on two facts:
1. If it has the INIT and INIT-ACK in the trace, it analyses them and
   uses the IP-addresses (multiple), port numbers and V-Tags.
2. If not all addresses are available (for example, the INIT or
   INIT-ACK has not been seen, it uses the port numbers and V-Tags
   only. The critical point here is that you do not have all information
   in one packet (like in the TCP case) except for the INIT-ACK.

If you want to see how this works, have a look at the code the the
SCTP association analysis tool. It provides really nice graphics which
we use to find retransmissions and so on. You can also filter for associations.

For the experience we made, the above method 2 is very good.

A student of mine is going to implement reassembly for SCTP DATA chunks and
also therefore also needs some way of finding associations, the first step
will be to integrate SCTP in the conversation concept...

After that in place, doing a sequence number analysis and having a tracefile covering all paths should be as hard as for TCP. So it is on the agenda, but
the problem is the time. In the meantime, have a look at the GUI tool. It
really helped us to find a lot of bugs...

Best regards
Michael

On May 4, 2006, at 9:32 AM, Jeff Morriss wrote:


So if I were to ever actually find the time to study the TCP sequence analysis code (which detects retransmissions, associates acks with the acked data, etc.) in the hopes of doing something similar in SCTP, is there anything I should know about the TCP code? Any known deficiencies or things that could be done better?

(Of course I'm probably kidding myself that I'll ever find the time, but I keep getting confused by retransmissions that I didn't notice were retransmissions the first N times I looked at them.)