Ask Your Question

7ACE's profile - activity

2025-02-25 05:04:55 +0000 commented question v4.4.4 Wireshark crashes

Thank you for the explanation.

2025-02-25 01:33:48 +0000 asked a question v4.4.4 Wireshark crashes

v4.4.4 Wireshark crashes Hi experts, When using Wireshark to sort packets, the program crashes. Is this because the pro

2025-02-18 21:48:09 +0000 received badge  Famous Question (source)
2024-09-06 07:28:13 +0000 marked best answer v4.2.x TCP ACKed unseen segment

Hi experts,

For the TCP Analysis , Why isn't packet No.6 marked with "TCP ACKed unseen segment"?But in v4.4.0, even 4.0.x is normal.

pcapng: https://drive.google.com/file/d/1Q4cD...

No. Time    Source  Destination Protocol    Length  Info
1   0   192.168.1.1 10.10.10.10 TCP 636 7930  >  80 [PSH, ACK] Seq=1 Ack=1 Win=65535 Len=582[Packet size limited during capture]
2   0.000034    10.10.10.10 192.168.1.1 TCP 60  80  >  7930 [ACK] Seq=1 Ack=583 Win=6984 Len=0[Packet size limited during capture]
3   0.084748    10.10.10.10 192.168.1.1 TCP 1254    80  >  7930 [ACK] Seq=1 Ack=583 Win=6984 Len=1200[Packet size limited during capture]
4   0.084857    10.10.10.10 192.168.1.1 TCP 1254    80  >  7930 [ACK] Seq=1201 Ack=583 Win=6984 Len=1200[Packet size limited during capture]
5   0.12227 10.10.10.10 192.168.1.1 TCP 1254    [TCP Previous segment not captured] 80  >  7930 [ACK] Seq=4801 Ack=583 Win=6984 Len=1200[Packet size limited during capture]
6   0.156074    192.168.1.1 10.10.10.10 TCP 60  7930  >  80 [ACK] Seq=583 Ack=6001 Win=65535 Len=0[Packet size limited during capture]
7   0.156763    10.10.10.10 192.168.1.1 TCP 1254    80  >  7930 [ACK] Seq=6001 Ack=583 Win=6984 Len=1200[Packet size limited during capture]
8   0.156865    10.10.10.10 192.168.1.1 TCP 1254    80  >  7930 [ACK] Seq=7201 Ack=583 Win=6984 Len=1200[Packet size limited during capture]



Version 4.2.4 (v4.2.4-0-g1fe5bce8d665).

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.37, build 32822),
with GLib 2.78.0, with Qt 6.5.3, with libpcap, with zlib 1.3.0, with PCRE2, with
Lua 5.2.4 (with UfW patches), with GnuTLS 3.8.3 and PKCS #11 support, with
Gcrypt 1.10.2-unknown, with Kerberos (MIT), with MaxMind, with nghttp2 1.57.0,
with nghttp3 1.0.0, with brotli, with LZ4, with Zstandard, with Snappy, with
libxml2 2.11.5, with libsmi 0.5.0, with QtMultimedia, with automatic updates
using WinSparkle 0.8.0, with AirPcap, with Minizip, with binary plugins.

Running on 64-bit Windows 10 (1809), build 17763, with Intel(R) Xeon(R) Gold
6226R CPU @ 2.90GHz (with SSE4.2), with 32767 MB of physical memory, with GLib
2.78.0, with Qt 6.5.3, with Npcap version 1.79, based on libpcap version 1.10.4,
with PCRE2 10.42 2022-12-11, with c-ares 1.27.0, with GnuTLS 3.8.3, with Gcrypt
1.10.2-unknown, with nghttp2 1.57.0, with nghttp3 1.0.0, with brotli 1.0.9, with
LZ4 1.9.3, with Zstandard 1.5.2, without AirPcap, with light display mode,
without ...
(more)
2024-09-05 23:47:58 +0000 commented answer v4.2.x TCP ACKed unseen segment

Thanks to all for your help and patience.

2024-09-05 13:09:06 +0000 commented answer v4.2.x TCP ACKed unseen segment

Thanks for your answer. 4.2.7 still have the same problem.

2024-09-04 00:07:59 +0000 edited question v4.2.x TCP ACKed unseen segment

v4.2.x TCP ACKed unseen segment Hi experts, For the TCP Analysis , Why isn't packet No.6 marked with "TCP ACKed unseen

2024-09-04 00:06:30 +0000 asked a question v4.2.x TCP ACKed unseen segment

v4.2.x TCP ACKed unseen segment Hi experts, For the TCP Analysis , Why isn't packet No.6 marked with "TCP ACKed unseen

2024-09-03 03:15:50 +0000 received badge  Popular Question (source)
2024-07-11 00:30:51 +0000 marked best answer nextseq and nextseqtime

Hi experts,

What is nextseq and nextseqtime? Is the nextseqtime an estimated value or a real value?

No.1 SeqNum 1      NextSeq 1449    Ack 100 
No.2 SeqNum 1449   NextSeq 2897    Ack 100

1. Is nextseq 2897?
2. Is nextseqtime the timestamp of packet No.2? or?


No.1 SeqNum 1      NextSeq 1449    Ack 100 
No.2 SeqNum 2897   NextSeq 3000    Ack 100

3. Is nextseq 3000?
4. Is nextseqtime the timestamp of packet No.2? or?

The relevant code:

 typedef struct tcp_analyze_seq_flow_info_t {
    guint32 nextseq;         /* highest seen nextseq */
    nstime_t nextseqtime;    /* Time of the nextseq packet so we can
                              * distinguish between retransmission,
                              * fast retransmissions and outoforder
                              */
 }

Regards, 7ACE

2024-07-11 00:25:38 +0000 marked best answer TCP Analysis questions

Hi experts,

For the TCP Analysis , I have the following questions :

https://www.wireshark.org/docs/wsug_h...

Next expected sequence number

The last-seen sequence number plus segment length. Set when there are no analysis flags and for zero window probes. This is initially zero and calculated based on the previous packet in the same TCP flow. Note that this may not be the same as the tcp.nxtseq protocol field.

1.What's the difference between "Next expected sequence number" and "Next sequence number"?

Next sequence number : tcp.nxtseq = tcp.seq + tcp.len

Next expected sequence number : ?

2.What's the meaning of the "Set when there are no analysis flags and for zero window probes." ?

3.What's the meaning of the "Note that this may not be the same as the tcp.nxtseq protocol field."?In what situation would this happen?

Next expected acknowledgement number

The last-seen sequence number for segments. Set when there are no analysis flags and for zero window probes.

4.Next expected acknowledgement number : tcp.ack ?

Last-seen acknowledgment number

Always set. Note that this is not the same as the next expected acknowledgment number.

Last-seen acknowledgment number

Always updated for each packet. Note that this is not the same as the next expected acknowledgment number.

5.What's the difference between the two?

Regards, 7ACE

2024-07-11 00:24:19 +0000 received badge  Famous Question (source)
2024-07-05 13:25:59 +0000 commented answer nextseq and nextseqtime

So does nextseq refer to the NextSeqNum of the current packet, while tcpd->fwd->tcp_analyze_seq_info->nextseq r

2024-07-05 09:18:59 +0000 edited question nextseq and nextseqtime

nextseq and nextseqtime Hi experts, What is nextseq and nextseqtime? Is the nextseqtime an estimated value or a real va

2024-07-05 09:17:21 +0000 edited question nextseq and nextseqtime

nextseqtime Hi experts, What is nextseqtime? Is it an estimated value or a real value? No.1 SeqNum 1 NextSeq 1449

2024-07-05 08:51:15 +0000 asked a question nextseq and nextseqtime

nextseqtime Hi experts, What is nextseqtime? Is it an estimated value or a real value? No.1 SeqNum 1 NextSeq 1449

2024-07-05 08:28:44 +0000 received badge  Notable Question (source)
2024-04-25 21:09:43 +0000 received badge  Popular Question (source)
2024-04-18 12:15:53 +0000 marked best answer TCP Port numbers reused

Hi experts,

For the pcap, SYN、SYN/ACK、RST、SYN、SYN/ACK、RST, When I ignore the No.4 SYN packet,Why is packet No.2 marked with "TCP Port numbers reused"? tcpd == NULL?

No. Source       Destination  Protocol Stream Length Info
1   10.83.12.253 10.92.54.95  TCP        0    62     54321 > 447 [SYN] Seq=0 Win=14600 Len=0
2   10.92.54.95  10.83.12.253 TCP        0    60     [TCP Port numbers reused] 447  >  54321 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460
3   10.83.12.253 10.92.54.95  TCP        0    62     54321 > 447 [RST] Seq=1 Win=0 Len=0
4   <Ignored>
5   10.92.54.95  10.83.12.253 TCP        0    60     [TCP Previous segment not captured] [TCP Port numbers reused] 447  >  54321 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460
6   10.83.12.253 10.92.54.95  TCP        0    62     54321 > 447 [RST] Seq=1 Win=0 Len=0

The relevant code:

packet-tcp.c
SYN
if (tcpd != NULL  && (tcph->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) {
    ...
    tcpd->ta->flags|=TCP_A_REUSED_PORTS;
    ...
}

SYN/ACK
if (tcpd != NULL && (tcph->th_flags & (TH_SYN|TH_ACK)) == (TH_SYN|TH_ACK)){
    ...
    tcpd->ta->flags|=TCP_A_REUSED_PORTS;
    ...
}

Regards, 7ACE

2024-04-18 12:15:43 +0000 commented answer TCP Port numbers reused

Thank you for the explanation.

2024-04-16 14:48:35 +0000 commented answer Why would wireshark on one PC capture LLDP packets and another not?

Perhaps a switch in the network recognizes the lldp packet and so does not forward it.

2024-04-16 14:40:21 +0000 edited question TCP Port numbers reused

TCP Port numbers reused Hi experts, For the pcap, SYN、SYN/ACK、RST、SYN、SYN/ACK、RST, When I ignore the No.4 SYN packet,Wh

2024-04-16 14:19:48 +0000 asked a question TCP Port numbers reused

TCP Port numbers reused Hi experts, For the pcap, SYN、SYN/ACK、RST、SYN、SYN/ACK、RST, When I ignore the No.4 SYN packet,Wh

2024-04-15 00:40:19 +0000 answered a question TCP ACKed unseen segment

I've found the answer.The value of maxseqtobeacked is 21.

2024-04-13 10:17:52 +0000 commented question ACKED LOST PACKET & Zero Window Probe

GT_SEQ(ack, tcpd->rev->tcp_analyze_seq_info->maxseqtobeacked) Is the value of 'maxseqtobeacked' 15621, not 156

2024-04-13 10:17:16 +0000 commented question ACKED LOST PACKET & Zero Window Probe

GT_SEQ(ack, tcpd->rev->tcp_analyze_seq_info->maxseqtobeacked) Is the value of 'maxseqtobeacked' 15621, not 156

2024-04-11 13:27:20 +0000 asked a question ACKED LOST PACKET & Zero Window Probe

ACKED LOST PACKET & Zero Window Probe Hi experts, For issue #8404 error.pcap,Is No.12 [TCP Window Update] determine

2024-04-11 12:43:17 +0000 asked a question TCP ACKed unseen segment

TCP ACKed unseen segment Hi experts, For the No.6 [TCP ACKed unseen segment], is the value of maxseqtobeacked 21? No.4

2024-04-10 14:25:31 +0000 received badge  Autobiographer
2024-04-07 09:24:24 +0000 received badge  Notable Question (source)
2024-04-07 09:24:10 +0000 received badge  Notable Question (source)
2024-03-30 06:43:41 +0000 commented answer tcpd->rev->is_first_ack

Thank you so much for the clear explanation!

2024-03-30 06:41:26 +0000 marked best answer tcpd->rev->is_first_ack

Hi experts,

For the TCP Analysis, What is "tcpd->rev->is_first_ack"? In which scenarios will it be used?

/* WINDOW FULL
 * If we know the window scaling
 * and if this segment contains data and goes all the way to the
 * edge of the advertised window
 * then we mark it as WINDOW FULL
 * SYN/RST/FIN packets are never WINDOW FULL
 */
if( seglen>0
&&  tcpd->rev->win_scale!=-1
&&  (seq+seglen)==(tcpd->rev->tcp_analyze_seq_info->lastack+(tcpd->rev->window<<(tcpd->rev->is_first_ack?0:(tcpd->rev->win_scale==-2?0:tcpd->rev->win_scale))))
&&  (flags&(TH_SYN|TH_FIN|TH_RST))==0 ) {
    if(!tcpd->ta) {
        tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
    }
    tcpd->ta->flags|=TCP_A_WINDOW_FULL;
}

Regards, 7ACE

2024-03-29 13:16:47 +0000 commented answer tcpd->rev->is_first_ack

tcpd->fwd?tcpd->rev?

2024-03-29 12:25:11 +0000 commented answer tcpd->rev->is_first_ack

https://gitlab.com/wireshark/wireshark/-/issues/14690 TcpWindowFull.pcap,Is No.68(SYN/ACK) the “tcpd->rev->is_fir

2024-03-27 12:32:23 +0000 edited question tcpd->rev->is_first_ack

tcpd->rev->is_first_ack Hi experts, For the TCP Analysis, What is "tcpd->rev->is_first_ack"? In which scena

2024-03-27 12:29:23 +0000 asked a question tcpd->rev->is_first_ack

tcpd->rev->is_first_ack Hi experts, For the TCP Analysis, What is "tcpd->rev->is_first_ack"? In which sc

2024-03-27 12:21:23 +0000 received badge  Notable Question (source)
2024-03-27 12:21:21 +0000 received badge  Popular Question (source)
2023-10-11 08:24:35 +0000 received badge  Popular Question (source)
2023-09-29 14:42:40 +0000 received badge  Famous Question (source)
2023-09-29 14:41:56 +0000 received badge  Notable Question (source)
2023-09-29 14:41:44 +0000 received badge  Popular Question (source)
2023-07-06 14:29:15 +0000 received badge  Notable Question (source)
2023-07-06 14:29:15 +0000 received badge  Popular Question (source)
2023-03-06 05:20:44 +0000 answered a question how to Filter packets by time

frame.time >= "Mar 1, 2023 16:22:00" && frame.time <= "Mar 1, 2023 16:24:00"

2023-03-06 05:20:44 +0000 received badge  Rapid Responder (source)
2023-01-04 12:53:25 +0000 received badge  Notable Question (source)