Display filter showing different results on different versions

asked 2024-07-16 19:08:16 +0000

purple_packet_pusher gravatar image

updated 2024-07-17 08:07:28 +0000

grahamb gravatar image

Hello,

I am trying to inspect traffic for duplicate TCP flows. When I implement the following filter, I get two different results between version 4.2.6 and version 3.4.9:

tcp.flags.syn == 1 and tcp.flags.ack==0 and tcp.analysis.out_of_order or tcp.analysis.reused_ports

on version 3.4.9, this filter displays 556 packets. on version 4.2.6, on the exact same capture, this filter displays 0 packets.

which version is correct? why is there such a huge discrepancy?

edit retag flag offensive close merge delete

Comments

Changes have been made in the later version to improve dissection. Without access to the capture file it's difficult to comment.

Were your different versions tested on the same machine?

grahamb gravatar imagegrahamb ( 2024-07-17 08:09:10 +0000 )edit

They were tested on the same machine. I unfortunately cannot share the capture due to the sensitive nature of the traffic. I will provide screenshots.

purple_packet_pusher gravatar imagepurple_packet_pusher ( 2024-07-17 14:19:20 +0000 )edit

Unfortunately screenshots are very little help, the capture file is required.

grahamb gravatar imagegrahamb ( 2024-07-17 14:45:05 +0000 )edit

Perhaps there is a sample capture on the Wireshark Wiki that shows the issue and can be used for discussion.

Chuckc gravatar imageChuckc ( 2024-07-17 14:51:17 +0000 )edit

Okay, I think I found the issue. I was looking at the pcap on both versions, specifically at the same two frames in both. On v3.4.9, the second frame is analyzed as TCP Out-Of-Order, where as in v4.2.6, it is analyzed as a TCP retransmission. Is there a good sample capture that has any TCP retransmission in it? that will illustrate this discrepancy best, I believe.

purple_packet_pusher gravatar imagepurple_packet_pusher ( 2024-07-18 13:13:35 +0000 )edit
see more comments