Wireshark-dev: [Wireshark-dev] Enhancement Idea: "TCP SACK" instead of "TCP Dup ACK"

From: Josh Clark <josh@xxxxxxxxxxxx>
Date: Tue, 19 Jan 2021 16:03:17 -0500
Good afternoon,

I'd like to put some work in to address a pain point I have with Wireshark. Often in troubleshooting, someone will point to several consecutive rows labelled "TCP Dup ACK" and wonder how much packet loss I must have to cause so many duplicate ACKs to be sent. I then have to tell them about SACKs.

To resolve this, I'd like to replace the TCP Dup ACK label with a TCP SACK label when appropriate.

The little bit of research I've done has led me to an understanding that most of the work would be done in /epan/dissectors/packet-tcp.c and the associate .h. I think the scope of the work would look like:

1. Add a boolean to the tcp_acked struct for presence of an SLE or SRE field
2. Add a static void tcp_sequence_number_analysis_print_selective() function that should mostly be a copy of the print_duplicate
3. Possibly change the coloring rules on the baked-in Default profile to distinguish duplicate vs selective

I would appreciate your comments on my plan, and your assistance getting me off the ground in making some edits.

Regards,

Josh Clark