Wireshark-dev: [Wireshark-dev] TCP Analysis questions

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "??????????" <9618554@xxxxxx>
Date: Fri, 29 Apr 2022 08:27:00 +0800
Dear ??

Hope this email finds you well.

First of all, I am sorry that my English is poor, Can you help me to analysis under my questions? I am puzzled by the TCP Analysis Flags.

For the TCP Analysis , I have the following questions :
https://www.wireshark.org/docs/wsug_html_chunked/ChAdvTCPAnalysis.html

Next expected sequence number
The last-seen sequence number plus segment length. Set when there are no analysis flags and for zero window probes. This is initially zero and calculated based on the previous packet in the same TCP flow. Note that this may not be the same as the tcp.nxtseq protocol field.

1.What's the difference between "Next expected sequence number" and "Next sequence number"?

Next sequence number : tcp.nxtseq = tcp.seq + tcp.len

Next expected sequence number : ?

2.What's the meaning of the "Set when there are no analysis flags and for zero window probes." ?
Set when there are no analysis flags?
Set for zero window probes?
And?

3.What's the meaning of the "Note that this may not be the same as the tcp.nxtseq protocol field."?In what situation would this happen?


Next expected acknowledgement number
The last-seen sequence number for segments. Set when there are no analysis flags and for zero window probes.

4.Next expected acknowledgement number : tcp.ack ?


Last-seen acknowledgment number
Always set. Note that this is not the same as the next expected acknowledgment number.

Last-seen acknowledgment number
Always updated for each packet. Note that this is not the same as the next expected acknowledgment number.

5.What's the difference between the two?


6. Example:



For No.642

Next expected sequence number
The last-seen sequence number plus segment length.   Is the No.642 Seq 2481 ?

Next expected acknowledgement number
The last-seen sequence number for segments.    Is the No.642 Ack 518 ? tcp.ack ? What's last-seen seq means?

Last-seen acknowledgment number
Is the No.641 Ack 2481 ? or No.640 ACK 518 ?


I would appreciate your help.

Yours sincerely,
7ACE