Wireshark-dev: Re: [Wireshark-dev] Proposed changes to make tcp.ack and tcp.seq relative

From: Jasper Bongertz <jasper@xxxxxxxxxxxxxx>
Date: Tue, 5 May 2020 10:42:24 +0200
Hello Peter,

Tuesday, May 5, 2020, 1:46:13 AM, you wrote:

>> To avoid cluttering the TCP tree with redundant fields: can we only show the
>> absolutes if the relatives are also displayed? I don't think it's useful to
>> show the absolutes twice.

> Sure! The fields will be hidden in the view, but you will still be able
> to use them in filter expressions.

Good, I like it.

> On a related note, to address one of the use cases that prompted for the
> new field, I added expert info to mark connections where the server
> accepted TCP Fast Open (TFO) data. Is that useful to have?

Yes, that's useful to have, absolutely.

Would it be possible to mark TFO connections when they were NOT accepted as
well? That could be helpful, because right now I am not sure how I would find
failed TFO connections (except looking for SYN/ACK packets that fail). Or is
there an expert info that tells me that a connection used TFO and I can use the
field existence of the "accepted" TFO to check for it's absence to find failed
connections?
Unfortunately I have no example pcap for that scenario, so maybe this
functionality has to come as a later patch?

Cheers,
Jasper