Hi,
Can you send a capture that shows this behaviour and I can look into the
analysis to
look at a proper fix.
----- Original Message -----
From: ian_willumsen
To: ethereal-users@xxxxxxxxxxxx
Sent: Friday, March 14, 2003 8:08 AM
Subject: [Ethereal-users] TCP Sequence Analyzer bug?
Hi folks,
Downloaded Ethereal 9.11 for NT today and started working with the TCP
sequence analyzer.
Let's say you have 2 TCP frames, and the first frame has some data, and the
TCP Flags are FIN, PUSH and ACK in this frame. In the second frame, being
the ACKed reply has got the TCP analyzer code confused. The Sequence
Analyzer doesn't add the FIN into the byte count so it off by one and then
declares "TCP ACKed lost segment?". It looks like the code may be looking
for the flag byte to be equal a value, not looking at the Binary value for
FIN itself.
This may be considered normal behaviour (I'll have to consult Stevens), but
each TCP RST frame is declared "Zero Window" and "duplicate ACK". It is
true that the TCP window size is zero, and that the previous ACKed bytes is
the same as this one. However, if you are looking for issues in a
particular TCP session, then this becomes noise. Instead of the display
filter:
"Tcp.analysis.zero_window"
you would need to use:
"Tcp.analysis.zero_windows && tcp.flags.reset != 1"
And the same kinda thing with duplicate ACK.
Anyone else notice this?
Thanks,
Ian Willumsen