Ask Your Question
0

Why this is not a "TCP previous segment not captured"

asked 2018-06-19 13:53:28 +0000

airshark gravatar image

Hi,

I am implementing "TCP segment not captured" analysis flag (aka Wireshark display filter "tcp.analysis.lost_segment") in my application.

With this PCAP file I get a false positive with frame #15328. In Wireshark there is no analysis flag set for this frame. But I would expect a "TCP previous segment not captured" with this.

Can somebody explain why frame #15328 shall have no "TCP previous segment not captured"?

The previous frame in the same direction (#15327) got the analysis flag "TCP Retransmission" and therefore it is not considered to set the "Next expected sequence number", which is then relevant for frame #15328.

from https://www.wireshark.org/docs/wsug_h... Next expected sequence number: The last-seen sequence number plus segment length. Set when there are no analysis flags and and for zero window probes. This is initially zero and calculated based on the previous packet in the same TCP flow. Note that this may not be the same as the tcp.nxtseq protocol field.

Any idea? Thank you!

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-06-19 16:45:19 +0000

cmaynard gravatar image

updated 2018-06-19 17:04:35 +0000

I think the documentation needs updating. Clearly frame #15328 should not indicate "TCP previous segment not captured" because the previous segment was captured in frame #15327.

You can force frame #15328 to indicate "TCP previous segment not captured" if you select frame #15327 and choose Edit -> Ignore Packet (Ctrl-D). Use Ctrl-D to Unignore the frame again.

edit flag offensive delete link more

Comments

This sounds reasonable. And yes, with ignoring #15327 I get what I expected.

But I would like to understand the "default" behavior of Wireshark. I don't understand why in this case #15327 is taken into account as previous segment, although it is flagged as "TCP Retransmission".

If I ignore all "TCP Retransmission", I get completely different results than Wireshark TCP analysis.

What is the reason for this exact case, #15327 is handled as previous segment even with "TCP Retransmission" set?

airshark gravatar imageairshark ( 2018-06-20 06:33:16 +0000 )edit

I have just found the bug in my implementation. I was not considering #15327 for "Next expected sequence number" because of the analysis flag "Retransmission". But actually in Wireshark code (epan/dissectors/packet-tcp.c) I found that only when TCPAZEROWINDOWPROBE is set, it shall not be considered.

Thank you for your support!

airshark gravatar imageairshark ( 2018-06-25 09:41:37 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-06-19 13:53:28 +0000

Seen: 105 times

Last updated: Jun 19