Wireshark-bugs: [Wireshark-bugs] [Bug 5132] New: TCP bytes_in flight becomes inflated with lost

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Tue, 24 Aug 2010 06:55:11 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5132

           Summary: TCP bytes_in flight becomes inflated with lost packets
           Product: Wireshark
           Version: 1.5.x (Experimental)
          Platform: Other
        OS/Version: Windows XP
            Status: NEW
          Severity: Normal
          Priority: Medium
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: turney_cal@xxxxxxx


Created an attachment (id=5081)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=5081)
Screenshot of example: In frame 291 BiF inflates to 186296

Build Information:
Version 1.5.0

Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.16.6, (32-bit) with GLib 2.22.4, with WinPcap (version
unknown), with libz 1.2.3, without POSIX capabilities, without libpcre, with
SMI
0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS 2.8.5, with
Gcrypt 1.4.5, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built
Aug
19 2010), with AirPcap.

Running on Windows XP Service Pack 3, build 2600, with WinPcap version 4.1.2
(packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b
(20091008), GnuTLS 2.8.5, Gcrypt 1.4.5, without AirPcap.

Built using Microsoft Visual C++ 9.0 build 30729

--
When packets are lost (missing) from the capture file, the TCP bytes_in_flight
(tcp.analysis.bytes_in_flight) can become grossly inflated which skews the
calculation of the AVG BiF and MAX BiF in tshark (-z io,stat).  

These BiF stats are crucial in the calculation of the congestion point (i.e.,
the average amount of outstanding data at which packet loss tends to occur). 
Knowledge of the congestion point can be useful in the mitigation of packet
loss caused by buffer overflows on the network in that the receiver's TCP
window size can be reduced just below that point.  In some cases the presence
of a fixed congestion point can be indicative of QoS in the network path.

In the attached screenshot, the BiF inflates to 186296 which is bogus because
those missing frames were very likely to have included several ACKs which would
have greatly reduced the BiF.  Bear in mind that the two TCP flows (fwd and
rev) are merged before being saved to disk; consequently, if the capture device
is unable to save all the traffic, both directions of the traffic are lost.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.