Ask Your Question
0

v4.2.x TCP ACKed unseen segment

asked 2024-09-04 00:06:30 +0000

7ACE gravatar image

updated 2024-09-04 00:07:59 +0000

Hi experts,

For the TCP Analysis , Why isn't packet No.6 marked with "TCP ACKed unseen segment"?But in v4.4.0, even 4.0.x is normal.

pcapng: https://drive.google.com/file/d/1Q4cD...

No. Time    Source  Destination Protocol    Length  Info
1   0   192.168.1.1 10.10.10.10 TCP 636 7930  >  80 [PSH, ACK] Seq=1 Ack=1 Win=65535 Len=582[Packet size limited during capture]
2   0.000034    10.10.10.10 192.168.1.1 TCP 60  80  >  7930 [ACK] Seq=1 Ack=583 Win=6984 Len=0[Packet size limited during capture]
3   0.084748    10.10.10.10 192.168.1.1 TCP 1254    80  >  7930 [ACK] Seq=1 Ack=583 Win=6984 Len=1200[Packet size limited during capture]
4   0.084857    10.10.10.10 192.168.1.1 TCP 1254    80  >  7930 [ACK] Seq=1201 Ack=583 Win=6984 Len=1200[Packet size limited during capture]
5   0.12227 10.10.10.10 192.168.1.1 TCP 1254    [TCP Previous segment not captured] 80  >  7930 [ACK] Seq=4801 Ack=583 Win=6984 Len=1200[Packet size limited during capture]
6   0.156074    192.168.1.1 10.10.10.10 TCP 60  7930  >  80 [ACK] Seq=583 Ack=6001 Win=65535 Len=0[Packet size limited during capture]
7   0.156763    10.10.10.10 192.168.1.1 TCP 1254    80  >  7930 [ACK] Seq=6001 Ack=583 Win=6984 Len=1200[Packet size limited during capture]
8   0.156865    10.10.10.10 192.168.1.1 TCP 1254    80  >  7930 [ACK] Seq=7201 Ack=583 Win=6984 Len=1200[Packet size limited during capture]



Version 4.2.4 (v4.2.4-0-g1fe5bce8d665).

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.37, build 32822),
with GLib 2.78.0, with Qt 6.5.3, with libpcap, with zlib 1.3.0, with PCRE2, with
Lua 5.2.4 (with UfW patches), with GnuTLS 3.8.3 and PKCS #11 support, with
Gcrypt 1.10.2-unknown, with Kerberos (MIT), with MaxMind, with nghttp2 1.57.0,
with nghttp3 1.0.0, with brotli, with LZ4, with Zstandard, with Snappy, with
libxml2 2.11.5, with libsmi 0.5.0, with QtMultimedia, with automatic updates
using WinSparkle 0.8.0, with AirPcap, with Minizip, with binary plugins.

Running on 64-bit Windows 10 (1809), build 17763, with Intel(R) Xeon(R) Gold
6226R CPU @ 2.90GHz (with SSE4.2), with 32767 MB of physical memory, with GLib
2.78.0, with Qt 6.5.3, with Npcap version 1.79, based on libpcap version 1.10.4,
with PCRE2 10.42 2022-12-11, with c-ares 1.27.0, with GnuTLS 3.8.3, with Gcrypt
1.10.2-unknown, with nghttp2 1.57.0, with nghttp3 1.0.0, with brotli 1.0.9, with
LZ4 1.9.3, with Zstandard 1.5.2, without AirPcap, with light display mode,
without ...
(more)
edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-09-05 11:34:50 +0000

SYN-bit gravatar image

Without checking all the commits on the TCP dissector, I would assume there was a code change in 4.2.x that changed this behavior and it has been reverted or at least fixed so that the "TCP ACKed unseen segment" are back for ACKs that ACK segments that Wireshark did not see.

Did you try 4.2.7, it should have been fixed in the 4.2.x release as well, if not, could you open an issue on our gitlab wiki so it can be fixed in the next release of 4.2.x?

edit flag offensive delete link more

Comments

Is this similar to 18558: Wireshark, wrong TCP ACKed unseen segment message and 8988: TCP: Enhance Unseen Ack detection?

Chuckc gravatar imageChuckc ( 2024-09-05 12:08:25 +0000 )edit

could you open an issue on our gitlab wiki

Maybe issue 20039: 4.4 vs 4.2 TCP ACKed unseen segment shoud be reopened?

Chuckc gravatar imageChuckc ( 2024-09-05 12:11:12 +0000 )edit

Thanks for your answer. 4.2.7 still have the same problem.

7ACE gravatar image7ACE ( 2024-09-05 13:09:06 +0000 )edit

It seems that MR-8988 introduced this issue and MR-14587 fixed it, but this was only applied to master (ie 4.4 and beyond) and not to 4.2.x.

This MR should be marked for inclusion in 4.2.x

SYN-bit gravatar imageSYN-bit ( 2024-09-05 14:03:25 +0000 )edit

I backported the fix to the release-4.2 branch, should be fixed in 4.2.8

SYN-bit gravatar imageSYN-bit ( 2024-09-05 15:03:32 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2024-09-04 00:06:30 +0000

Seen: 105 times

Last updated: Sep 05

Related questions

Why this is not a "TCP previous segment not captured"

Proof if missing packets are present in capture

[TCP Previous segment not captured] I can ping rocket prism but can't access web gui?

I have implemented a TCP/IP stack on a PIC24 - I have an issue transferring larger files

TCP ACKed unseen segment

ACKED LOST PACKET & Zero Window Probe