[ian_willumsen <ian_willumsen@xxxxxxxxxxxxxxx>]

Hi folks,

 

Downloaded Ethereal 9.11 for NT today and started working with the TCP sequence analyzer. 

 

Let’s say you have 2 TCP frames, and the first frame has some data, and the TCP Flags are FIN, PUSH and ACK in this frame.  In the second frame, being the ACKed reply has got the TCP analyzer code confused.  The Sequence Analyzer doesn’t add the FIN into the byte count so it off by one and then declares “TCP ACKed lost segment?”.  It looks like the code may be looking for the flag byte to be equal a value, not looking at the Binary value for FIN itself.

 

This may be considered normal behaviour (I’ll have to consult Stevens), but each TCP RST frame is declared “Zero Window” and “duplicate ACK”.  It is true that the TCP window size is zero, and that the previous ACKed bytes is the same as this one.  However, if you are looking for issues in a particular TCP session, then this becomes noise.  Instead of the display filter:

 

“Tcp.analysis.zero_window”

 

you would need to use:

 

“Tcp.analysis.zero_windows && tcp.flags.reset != 1”

 

And the same kinda thing with duplicate ACK.

 

Anyone else notice this?

 

Thanks,

Ian Willumsen