Wireshark-dev: Re: [Wireshark-dev] How WIRESHARK confirm the TCP OUT-OF-ORDER packet!

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Mon, 15 Sep 2014 13:19:34 -0400
On 09/15/14 03:10, 李凌 wrote:

Hello,everyone!
It is my pleasure to write here for you.
I've got some problems with the wireshark that how the software confirm
if the tcp packet is out-of-order or not.
I captured a pcap file named 'example.pcap',in this file No.507, No.508
,No.509 make me confused:
(because the pcap file is too large ,it is more than 7MB,so I have to
export  the right packets as plain text named No507-No509.txt )
507    IP_ID:15689    TCP_SEQ:727452
         508    IP_ID:15690    TCP_SEQ:669373------out of order
         509    IP_ID:15691    TCP_SEQ:670825------TCP retransmission
No.508 Packet has a IP header ID that is 15690 which is bigger than
No.507.This means the server sended No.508 packet after No.507
packet,and wireshark captured them the same way .So,as I known ,No.508
may be a retransmission instead of out-of-order packet.However,
wireshark tags a out-of-order flag on No.508 which makes me confused,Is
there any rule I don't get? I got nothing on the Internet about this
question ,could you please help me?
Yeah, I have never really understood what "out of order" really means. In my mind a packet would either be a retransmission (something which should have come before the last packet we've seen) or it's ahead of the last packet we've seen (indicating we've missed one or more packets).
The idea behind "out of order" is, I believe, to indicate when something is too far "out of order" to be a retransmission or a simple hole in the sequence (i.e., a couple of missed packets). Here's the logic Wireshark uses to determine if a TCP segment is out of order: 


        /* If the segment came relativly close since the segment with the highest
         * seen sequence number and it doesn't look like a retransmission
         * then it is an OUT-OF-ORDER segment.
         */
        t=(pinfo->fd->abs_ts.secs-tcpd->fwd->nextseqtime.secs)*1000000000;
        t=t+(pinfo->fd->abs_ts.nsecs)-tcpd->fwd->nextseqtime.nsecs;
        if( t < ooo_thres
        && tcpd->fwd->nextseq != seq + seglen ) {
            if(!tcpd->ta) {
                tcp_analyze_get_acked_struct(pinfo->fd->num, seq, ack, TRUE, tcpd);
            }
            tcpd->ta->flags|=TCP_A_OUT_OF_ORDER;
            goto finished_checking_retransmission_type;
        }