Ethereal-users: Re: [Ethereal-users] out of order packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "ronnie sahlberg" <ronniesahlberg@xxxxxxxxx>
Date: Fri, 19 May 2006 09:56:53 +1000
The heuristics to determine whether a packet is out-of-order or if it is a fast-retransmission is a bit too agressive for the fast-retrans case.

		/* If there were >=1 duplicate ACKs in the reverse direction

		 * (there might be duplicate acks missing from the trace)
		 * and if this sequence number matches those ACKs
		 * and if the packet occurs within 20ms of the last
		 * duplicate ack
		 * then this is a fast retransmission

		 */
		t=(pinfo->fd->abs_ts.secs-tcpd->rev->lastacktime.secs)*1000000000;
		t=t+(pinfo->fd->abs_ts.nsecs)-tcpd->rev->lastacktime.nsecs;
		if
( tcpd->rev->dupacknum>=1
		&&  tcpd->rev->lastack==seq
		&&  t<20000000 ){

Changing the test to
                           if( tcpd->rev->dupacknum>=2

should do the trick.


On 5/19/06, Peter Bruno <brunopeter2001@xxxxxxxxx> wrote:
Further details:  running version 0.99.0 and WinPcap
version 4.0 alpha1 (same behavior with previous
version (non-Beta) of WinPcap).

1) A -> B [TCP Previous segment lost] Continuation or
non-HTTP traffic
2) A <- B [TCP Dup ACK] SLE=### SRE=###
3) A -> B [TCP Fast Retransmission] [TCP segment of a
reassembled PDU]

Peter

Peter Bruno wrote:
> If packets are recieved out of order (determined by
> looking at the IP Identification),

Or, presumably, by looking at the TCP sequence
number...

> they are flagged as
> 'TCP Previous segment lost' and then the next packet
> as 'TCP Fast Retransmission'.
>
> Is it possible to disable this part of the TCP
> analysis without having to turn off all analysis?

Not as far as I know - but the TCP analysis should
handle OOO packets
correctly.  For example, "TCP Previous segment lost"
should perhaps be
"TCP Previous segment lost or out of order".

Ronnie, when did the rewritten TCP analysis go in, and
did it fix these
problems?

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users