Ask Your Question


asked 2024-03-27 12:29:23 +0000

7ACE gravatar image

updated 2024-03-27 12:32:23 +0000

Hi experts,

For the TCP Analysis, What is "tcpd->rev->is_first_ack"? In which scenarios will it be used?

 * If we know the window scaling
 * and if this segment contains data and goes all the way to the
 * edge of the advertised window
 * then we mark it as WINDOW FULL
 * SYN/RST/FIN packets are never WINDOW FULL
if( seglen>0
&&  tcpd->rev->win_scale!=-1
&&  (seq+seglen)==(tcpd->rev->tcp_analyze_seq_info->lastack+(tcpd->rev->window<<(tcpd->rev->is_first_ack?0:(tcpd->rev->win_scale==-2?0:tcpd->rev->win_scale))))
&&  (flags&(TH_SYN|TH_FIN|TH_RST))==0 ) {
    if(!tcpd->ta) {
        tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);

Regards, 7ACE

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted

answered 2024-03-29 00:35:25 +0000

Chuckc gravatar image

From the source (epan/dissectors/packet-tcp.c):

     * Remember if we have already seen at least one ACK,
     * then we can neutralize the Window Scale side-effect at the beginning (issue 14690)

14690: First "TCP window full" not detected

I haven't seen anything to reuse in the conversations, so I suggest adding a boolean which will track the first ACK (see my merge request). In such rare case where the Window is full before a first ACK, this will neutralize this side-effect of window scaling which is not expected here. However the analysis is good and the GUI gives the right Calculated window size.

1450: TCP: First Full TCP Window is not detected

edit flag offensive delete link more


TcpWindowFull.pcap,Is No.68(SYN/ACK) the “tcpd->rev->is_first_ack”?

7ACE gravatar image7ACE ( 2024-03-29 12:25:11 +0000 )edit

Just looking at the code and Expert Infos, I would say the flag is set on packet 67?


    if(tcph->th_flags & TH_SYN) {
        if(tcph->th_flags & TH_ACK) {
           expert_add_info_format(pinfo, tf_syn, &ei_tcp_connection_synack,
                                  "Connection establish acknowledge (SYN+ACK): server port %u", tcph->th_sport);
           /* Save the server port to help determine dissector used */
           tcpd->server_port = tcph->th_sport;
        else {
           expert_add_info_format(pinfo, tf_syn, &ei_tcp_connection_syn,
                                  "Connection establish request (SYN): server port %u", tcph->th_dport);
           /* Save the server port to help determine dissector used */
           tcpd->server_port = tcph->th_dport;
           tcpd->ts_mru_syn = pinfo->abs_ts;
        /* Remember where the next segment will start. */
        if (tcp_desegment && tcp_reassemble_out_of_order && tcpd && !PINFO_FD_VISITED(pinfo)) {
            if (tcpd->fwd->maxnextseq == 0) {
                tcpd->fwd->maxnextseq = tcph->th_seq + 1;
        /* Initiliaze the is_first_ack */
        tcpd->fwd->is_first_ack = TRUE;
67 TCP: Connection establish request (SYN): server port 80

68 TCP: Connection establish acknowledge (SYN+ACK): server port 80
Chuckc gravatar imageChuckc ( 2024-03-29 12:54:14 +0000 )edit


7ACE gravatar image7ACE ( 2024-03-29 13:16:47 +0000 )edit

I'm in over my head here so maybe a comment over on the issue or merge request listed above will get one of the original developers to help.

It seems that fwd and rev are relative not absolute so maybe the direction has changed between the flag being set and when it is checked?

    /* These pointers are set by get_tcp_conversation_data()
     * fwd point in the same direction as the current packet
     * and rev in the reverse direction
    tcp_flow_t  *fwd;
    tcp_flow_t  *rev;
Chuckc gravatar imageChuckc ( 2024-03-29 15:05:26 +0000 )edit

Thank you so much for the clear explanation!

7ACE gravatar image7ACE ( 2024-03-30 06:43:41 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2024-03-27 12:29:23 +0000

Seen: 103 times

Last updated: Mar 29