Wireshark-dev: Re: [Wireshark-dev] sctp TSN plot & retransmissions

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Cristian Constantin <cristian.constantin@xxxxxxxxx>
Date: Thu, 20 Aug 2009 14:55:46 +0200
On Thu, Aug 20, 2009 at 12:56:54PM +0200, Michael T�xen wrote:
> On Aug 20, 2009, at 11:47 AM, Cristian Constantin wrote:
> 
> > hi!
> >
> > I am trying to plot the tsns in an association's data flow; anyway the
> > result is not what I expect. here are some details:
> >
> > 0. wireshark on linux/debian:
> >
> > cco@xxx:~$ dpkg -l | grep wireshark
> > ii  wireshark                             
> > 1.2.1-1                            network traffic analyzer
> > ii  wireshark-common                      
> > 1.2.1-1                            network traffic analyser (common  
> > files)
> >
> > 1. flow contains handshake as well.
> > 2. at the receiver I have an iptables rule dropping SACKs and DATA on
> > the input chain. so basically SACKs and DATA chunks arrive, wireshark
> > also sees them, the application not and that is why it is initiating
> > retransmissions.
> > 3. if I enable the TSN analysis from the SCTP protocol menu, it will
> > basically tell me when a CHUNK is retransmitted, that the SACK was  
> > also
> > seen aso.
> > 4. I am trying to plot the TSNs to have an overview (using Telephony/
> > SCTP/Analyse this association). it is showing all the TSNs up to the
> > ones that are retransmitted as I have explained at 2. any idea what
> > happens? is there a maximum number of tsns that are shown on the
> > graph?
> No.
> 
> Is wireshark seeing the packets at all? Where are you capturing the
> traffic? At the same node where iptables runs? How does iptables and
> capturing interact?

cristian: wireshark sees all the packets; I think the packet capture in the
kernel takes place before the packet hits the iptables INPUT chain.
yes, wireshark is running at the same node where iptables runs; again
it sees the packet which is dropped by the iptables (which in this case
are containing SACK/DATA chunks). 

here is a drawing:

[ node1: appl. ---- INPUT/iptables ---- wireshark ] ========== node2
               ----------DATA---------------------------------> 
                           DROPPED <----------SACK/DATA-------- 
               ----------DATA(retrans)------------------------> 
                           DROPPED <----------SACK(retrans)---- 

there is traffic also before the rule is added to the input chain;
this traffic is plotted; the one shown above not at all...

thanks.
bye now!
cristian