Wireshark-dev: [Wireshark-dev] TCP experimental options

From: Tom Harwood <tomharwood@xxxxxxxxxxx>
Date: Thu, 06 Sep 2012 14:51:58 +0100
Hi all,

I've been experimenting with TCP Fast Open - https://tools.ietf.org/html/draft-cheng-tcpm-fastopen-02 . The protocol currently uses a TCP experimental options kind  (0xfe) for its cookie values. The cookies show in Wireshark as "TCP Option - Experimental: fexxf989...", where f989 is TFO's magic number prefix.

I thought it would be neat to label these (albeit experimental) TCP Fast Open cookies in Wireshark. The TCP experimental options field strictly has no structure, however the magic number prefix (f989 in this case) could help with identification. http://tools.ietf.org/html/draft-touch-tcpm-experimental-options-00 has some ideas related to this.

To generalise, I was thinking of writing a patch to check each TCP experimental option against a list of variable length magic numbers. Then Wireshark could identify experimental TFO cookies, and any other experimental options seen "in the wild". (however TFO is the only one I have ever seen :-))

As there's no structure to the TCP experimental options fields, some uses could overlap, and some experimental option data could plausibly belong to more than one experiment: In this case, we could note the ambiguity and/or list all the possible known types the data could be.

Are there any suggestions? (is this a reasonable idea?)

thanks,

Tom

ps - many thanks to the authors of Wireshark, it's a brilliant piece of software :-)