Ask Your Question
0

Are these tcp acked unseen segments really unseen?

asked 2023-03-16 12:40:40 +0000

WvdK gravatar image

I see that wireshark is flagging below packets as tcp acked uncseen segements in e.g. packet 50, 56, 62. But why? If I look that the pervious packets 49, 55 and 61 the ack, seq number, next seq number and segment len are all in harmony as far as I can tell. I don't see that 10.84.4.57 is acknowledging data that isn't in the trace. One thing perhaps is that 10.73.204.211 is using TSO/offloading and therefore wireshark might know that there should been two or more packets. But if Wireshark does know that then look at packet 79/80. There I see a similar exchange of packets as in 49/50, 55/56, 61/62 but here there is no need for TSO as the packet contains only 645 bytes and still 62 is flagged as ack of unseen segment. Also look at 69/70 there same exchange as in 9/50, 55/56, 61/62 and here also a big packet which will be two on the wire but here wireshark does not flag it as tcp acked unseen segment.

So what is the rule for wireshark to come to the conclusion a tcp acked unseen segment.

edit retag flag offensive close merge delete

Comments

You can share the capture on a public share and post a link to it back here. Using the familiar tools, e.g. Wireshark and tshark, to look at the data rather than a wall of text might get some responses.

grahamb gravatar imagegrahamb ( 2023-03-16 14:10:41 +0000 )edit

Link to screen capture of wireshark is here: https://snipboard.io/Swf4as.jpg

WvdK gravatar imageWvdK ( 2023-03-16 16:01:05 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2023-03-17 07:57:53 +0000

SYN-bit gravatar image

Your screenshot does seem to indicate that these frames are falsely marked as [TCP ACKed unseed segment]. Please post the exact version of Wireshark. Also, if this is indeed a bug, A pcap file showing the problem would be needed to investigate and solve this issue.

edit flag offensive delete link more

Comments

The wireshark version I see this issue on is: Version 4.0.1 (v4.0.1-0-ge9f3970b1527).

Today I also tested the same trace on Version 4.0.3 (v4.0.3-0-gc552f74cdc23). There I don't see these [TCP ACKed unseed segment] ! So issue seems to be related to version 4.0.1. I will update to the latest stable release of Wireshark. 4.0.4 Thanks!

WvdK gravatar imageWvdK ( 2023-03-17 09:20:34 +0000 )edit

Thanks for testing a newer version, good to see it has been resolved already :-)

SYN-bit gravatar imageSYN-bit ( 2023-03-17 09:59:18 +0000 )edit

This was fixed in version 4.0.2 https://gitlab.com/wireshark/wireshar... “tcp: Use correct wraparound comparison in sequence analysis”

André gravatar imageAndré ( 2023-03-17 17:25:39 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2023-03-16 12:40:40 +0000

Seen: 483 times

Last updated: Mar 17 '23

Related questions

Why there is port mismatch in tcp and http header for port 51006. Also why the netstat in server do not shows connections under port 51006 even traffic is coming to this port.

Client is waiting for FIN flag from server for 30 sec

follow tcp stream dialogue box

How to tell if TCP segment contains a data in Wireshark?

Help to read this trace

Random Flooding of TCP Retransmissions

How to make wireshark pop out a file when there are a lot of tcp retransmissions?

how to create a graph of the number of active tcp connections over time?

how can I graph mysql response time in wireshark

Is it possible that wireshark doesn't recognize protocol?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2