Ask Your Question
0

iRTT Field Missing in Capture

asked 2019-09-26 18:53:42 +0000

Don gravatar image

updated 2019-09-26 19:00:51 +0000

We have two Ethernet boards, one board perfectly accomplishes an FTP file transfer, the second does not and it eventually times out early on, mishandling the SYN SYN:ACK phase. We analyzed the two Wireshark captures and noticed that the good capture has the iRTT time stamp field included while the bad one does not. What is the significance of not seeing that iRTT in the bad capture? Is that indicative to why it fails the xfer? Would really appreciate a reply.. Thanks

I would like to attach the screen shot of the two captures but don't see Attach option here..

edit retag flag offensive close merge delete

Comments

Put the captures on a public file share site and post the link in the question. That's how you can solve that.

Jaap gravatar imageJaap ( 2019-09-26 18:59:44 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-09-26 20:36:15 +0000

SYN-bit gravatar image

mishandling the SYN SYN:ACK phase.

If by "mishandling" you mean that there is no full 3-way handshake, then it is logical that there is no iRTT being shown, as Wireshark calculates the iRTT based on the timings in the 3-way handshake. If this is the case, the problem is in the faulty 3-way handshake and the missing iRTT is just a symptom.

edit flag offensive delete link more

Comments

Hi, So it requires the SYN --> SYN:ACK --> ACK events to occur. We had assumed only the SYN --> SYN:ACK is required for the iRTT. Thanks for your reply and clarifying Don

Don gravatar imageDon ( 2019-09-26 22:09:34 +0000 )edit

Yes, Wireshark does need the final ack for the calculation, because it does not know if the capture was made near the client, near the server or somewhere in between. So the best approximation of the iRTT is the time difference between the SYN packet and the final ACK packet (regardless of where on the path the capture was made).

If this answered your question, could you click on the checkmark so it is marked as "answered"?

SYN-bit gravatar imageSYN-bit ( 2019-09-27 07:43:52 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-09-26 18:53:42 +0000

Seen: 241 times

Last updated: Sep 26 '19