Wireshark-users: Re: [Wireshark-users] Question on interpreting TCP Expert Info
From: "Small, James" <JSmall@xxxxxxxxxxxxxx>
Date: Thu, 4 Jan 2007 23:02:46 -0500
Boy, isn't that the truth. Even after reading Steven's first book, I don't think I truly appreciated just how complex TCP really is until looking at lots of WAN traces. I've definitely picked up a lot from listening to the group. This is one I saved though and I still don't completely understand: Question: Has there been any movement to re-introduce the SEQ/ACK breakout into Wireshark? We found this to be one of the most valuable capabilities in Ethereal and used it for finding network times for remote subnets. Below is a typical portion of a tethereal script that was used for getting an RTT for only the TCP handshake. This proved very valuable in quickly separating out an application-related delay versus a network delay and could keep a running file of network response times, especially valuable when limited to a specific remote subnet. This example, of course, relied on activation of the TCP relative sequence number feature: -z io,stat,60,AVG(tcp.analysis.ack_rtt)"((tcp.flags.syn==1 or (tcp.seq==1 and tcp.ack==1 and tcp.len==0)) and tcp.analysis.ack_rtt" Answer: Can you check the wiki for TCP to make sure this feature is documented properly and that there are useful examples on how one can use this feature and why one might want to use it? Since you find this feature useful (as did the others that have noticed it went missing in the big analysis rewrite and cleanup) it would be very useful if someone that does use the feature could look at the wiki and make sure it is properly documented - both what it does and why it is useful so others can also benefit from it. To make it more accurate would be to enhance it to ONLY collect the RTT for PSH segments (since tcps are not doing delayed-ack on such segments) and only if there were no retransmissions between the datasegment and the ack. /End At any rate I ordered the new Wireshark/Ethereal book and am definitely looking forward to the part about MATE. --Jim > -----Original Message----- > From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users- > bounces@xxxxxxxxxxxxx] On Behalf Of Hansang Bae > Sent: Thursday, January 04, 2007 9:10 PM > To: Community support list for Wireshark > Subject: Re: [Wireshark-users] Question on interpreting TCP Expert Info > > At 04:28 PM 12/29/2006, Small, James wrote: > >Hello, I am using Wireshark to look at mail traffic > >(SMTP/POP3). When I look at the trace I see lots of the following: > >Previous Segment Lost Retransmission (suspected) Duplicate ACKs I'm > >suspecting that this is exacerbated by not having enough Internet > >bandwidth. My question is, how do I interpret this? Does this show > >that I don't have enough bandwidth? Does it mean there needs to be > >tuning? I realize this is not an easy question and would be very > >happy even with a go ready book ABC answer - just as long as once I > >read book ABC I would know how to interpret the data. Any and all > >advice greatly appreciated. > > > > First thing I would check is to make sure you don't have a duplex > mismatch. Chances are, you are using some type of a cable modem > router. These devices for the most part auto-negotiate. You don't > (typically) have much of a choice in the matter. > > So it's imperative that your PC's NIC is in auto-negotiate mode. > > There really aren't to many books on using protocol analyzers. The > reason is that to TRULY understand protocol analysis, you need in > depth understanding of the protocols itself. Then, you need a lot of > practice reading trace files as this is more art then science. > > hsb > > _______________________________________________ > Wireshark-users mailing list > Wireshark-users@xxxxxxxxxxxxx > http://www.wireshark.org/mailman/listinfo/wireshark-users
- Prev by Date: [Wireshark-users] RTP decoded as WCCP (malformed packet)
- Next by Date: Re: [Wireshark-users] RTP decoded as WCCP (malformed packet)
- Previous by thread: Re: [Wireshark-users] Question on interpreting TCP Expert Info
- Next by thread: [Wireshark-users] RTP decoded as WCCP (malformed packet)
- Index(es):