Wireshark-dev: [Wireshark-dev] Expert Info Issues

From: "Laura Chappell" <laura@xxxxxxxxxxxxx>
Date: Sun, 18 Oct 2009 09:49:07 -0700

Hello all… working on documenting some examples of the expert notifications – some issues came up during the process. Your thoughts?

 

1. TCP Zero Window Probes (misidentified if no single byte?)

- Zero Window Probes with no single byte is interpreted as TCP Keep-Alives (seems the specs are a bit ambiguous on whether a data byte should be included) – is there any way to correlate these packets with the zero window condition to interpret as TCP Zero Window Probes?

– The response is interpreted as  a ZeroWindow packet, not a Keep-Alive ACK or even a Zero Window Probe ACK.  At least these packets should be Keep-Alive ACKs per the dev notes:

       * It is a keepalive ack if it repeats the previous ACK and if

       * the last segment in the reverse direction was a keepalive

      (see download-bad.pcap at www.chappellseminars.com/traces)

 

2. TCP Retransmissions v. TCP Fast Retransmissions (put together under Warnings?)

- shouldn’t these two be under the same tab (I’d recommend Warnings for both). I am not a great fan of the delineation between the two (seems bizarre to see a “Fast Retransmission” listed after 279 duplicate ACKs – not intuitive to the users what happened here – they don’t know the time relates to the last dupe ACK and think Wireshark is messed up with the ‘Fast’ title). Elevating Retransmissions to Warnings may bring up the issue of “What is normal?” (see my swollen ankle issue below <g>) BUT… retransmissions are not a good thing in general – something to watch for as signs of packet loss.

 

3. Disabling an Expert Notification? Might be a good idea (rather than in TCP settings...?)

 

THANK YOU! (No action required) Zero Window/Window is Full/Window Update

- I love Window is Full in warnings AND Window Updates under chat!

- Read through numerous dev threads regarding Zero Window issues - I agree Zero Window/Window Full should be warnings as they are now; probes and acks in notes as they are now – I read the dev threads on the issue that zero window is a ‘normal condition’ – but in all honesty it is a condition that indicates a problem – just as a swollen ankle is an indication of a problem, but the body's normal reaction to a sprain – whether there are steps to resolve is another issue.

 

Thanks so much!

 

Laura

(who recently sprained her ankle and whined like a big baby - definitely under WARNINGS!)