 | 1 | initial version |
From a quick run through the source code, I think this is the relevant part:
/* Store the highest number seen so far for nextseq so we can detect
* when we receive segments that arrive with a "hole"
* If we don't have anything since before, just store what we got.
* ZeroWindowProbes are special and don't really advance the nextseq
*/
if(GT_SEQ(nextseq, tcpd->fwd->tcp_analyze_seq_info->nextseq) || !tcpd->fwd->tcp_analyze_seq_info->nextseq) {
if( !tcpd->ta || !(tcpd->ta->flags&TCP_A_ZERO_WINDOW_PROBE) ) {
tcpd->fwd->tcp_analyze_seq_info->nextseq=nextseq;
tcpd->fwd->tcp_analyze_seq_info->nextseqframe=pinfo->num;
tcpd->fwd->tcp_analyze_seq_info->nextseqtime.secs=pinfo->abs_ts.secs;
tcpd->fwd->tcp_analyze_seq_info->nextseqtime.nsecs=pinfo->abs_ts.nsecs;
}
}
Which means, the highest seen value for next sequence number is kept in combination of the timestamp of the currently analyzed packet in order to help analyze the next packets in regards to retransmissions, out-of-order etc.