Ask Your Question
0

release 3.6.8 missing SEQ/ACK analysis

asked 2022-09-12 19:50:19 +0000

JohnH gravatar image

I must be missing something, since I upgraded from 3.4.6 to 3.6.8 I no longer see the SEQ/ACK analysis section under TCP. I checked by loading the same capture in both versions. I have also unchecked - Do not call subdissectors for error packets - in both versions. In 3.4.6 I can use the filter TCP.Analysis.duplicate_ack and I find 34127 dup acks. I have looked at the actual dup packets to validate these are real dups and they are. When I load the same capture in 3.6.8 the same filter finds 0 packets and the SEQ/ACK analysis section is missing. Help!

edit retag flag offensive close merge delete

Comments

Is it possible that Analyze Sequence Numbers is not enabled/checked in your preferences for TCP?

Chuckc gravatar imageChuckc ( 2022-09-12 21:45:56 +0000 )edit

Analyze Sequence Numbers is enabled, here are the enabled TCP preferences;

  • Show TCP Summary in protocol tree,
  • Allow sub dissector to reassemble TCP streams
  • Analyze TCP sequence numbers
  • Track number of bytes in flight
  • Calculate conversation timestamps
  • Try heuristic sub-directors first
  • TCP Experimental Options with a Magic Number

All the rest are disabled

JohnH gravatar imageJohnH ( 2022-09-13 11:52:10 +0000 )edit

There is a sample capture on Wiki page for TCP.
Open it in 3.6.8 and see if working. If not then a config issue. If it does work then something in your capture and would be easier to move forward if you can share the capture file.

A display filter of tcp.analysis will show the packets with a [SEQ/ACK analysis] section.

Chuckc gravatar imageChuckc ( 2022-09-13 15:10:34 +0000 )edit

I have loaded the sample capture and it appears to work. How do I share the capture file I am working with?

JohnH gravatar imageJohnH ( 2022-09-13 15:22:45 +0000 )edit

Put it on a public file share (Google, Onedrive, Dropbox, ...) then update the question with a link to it.

Chuckc gravatar imageChuckc ( 2022-09-13 15:30:23 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-09-13 15:59:50 +0000

Chuckc gravatar image
Snapshot length: 64
[Packet size limited during capture: TCP truncated]

This is an open issue: 18138: Incomplete captured TCP packets not registered as conversations.

edit flag offensive delete link more

Comments

Thanks for looking into this, at least I'm not crazy. Any estimate on when or which release it might be fixed in?

JohnH gravatar imageJohnH ( 2022-09-13 16:01:26 +0000 )edit

Can you increase the snap length when capturing? See notes here:
https://gitlab.com/wireshark/wireshar...
You could also add a comment to the open issue showing your interest in moving forward with the Draft commit.

Chuckc gravatar imageChuckc ( 2022-09-13 16:06:58 +0000 )edit

What snap length would you recommend. Most of my customers want to use a minimum snap length to minimize exposure to their customer data. I will use this in the future, in this case I was going over some old captures to put together problem determination training when I discovered the issue. I should have red the notes first, it looks like 94 bytes would work reliably.

JohnH gravatar imageJohnH ( 2022-09-13 16:16:49 +0000 )edit

Definitely test before you have to rely on that for a solution.

Chuckc gravatar imageChuckc ( 2022-09-13 17:02:19 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-09-12 19:50:19 +0000

Seen: 576 times

Last updated: Sep 13 '22

Related questions