Hi,
when examining the field "tcp.analysis.bytes_in_flight" in Wireshark Version
1.2.9 (SVN Rev 33171) it seems Wireshark doesn't always calculate the
correct value. As an example the following two consecutive frames:
Frame 91 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: NokiaInt_a5:60:b0 (00:a0:8e:a5:60:b0), Dst: Cisco_bd:9b:8a
(00:25:45:bd:9b:8a)
Internet Protocol, Src: 193.75.143.194 (193.75.143.194), Dst: 85.91.172.251
(85.91.172.251)
Transmission Control Protocol, Src Port: 22862 (22862), Dst Port: exapt-lmgr
(3759), Seq: 1, Ack: 18981, Len: 0
Source port: 22862 (22862)
Destination port: exapt-lmgr (3759)
[Stream index: 3]
Sequence number: 1 (relative sequence number)
Acknowledgement number: 18981 (relative ack number)
Header length: 20 bytes
Flags: 0x10 (ACK)
Window size: 64240
Checksum: 0x2ac9 [validation disabled]
Frame 92 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: Cisco_bd:9b:8a (00:25:45:bd:9b:8a), Dst: NokiaInt_a5:60:b0
(00:a0:8e:a5:60:b0)
Internet Protocol, Src: 85.91.172.251 (85.91.172.251), Dst: 193.75.143.194
(193.75.143.194)
Transmission Control Protocol, Src Port: exapt-lmgr (3759), Dst Port: 22862
(22862), Seq: 21901, Ack: 1, Len: 1460
Source port: exapt-lmgr (3759)
Destination port: 22862 (22862)
[Stream index: 3]
Sequence number: 21901 (relative sequence number)
[Next sequence number: 23361 (relative sequence number)]
Acknowledgement number: 1 (relative ack number)
Header length: 20 bytes
Flags: 0x10 (ACK)
Window size: 64240
Checksum: 0x2a1e [validation disabled]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 91]
[The RTT to ACK the segment was: 0.000121000 seconds]
[Number of bytes in flight: 7300]
Data (1460 bytes)
To my knowledge the correct value for "Number of bytes in flight" should be
23361 - 18981 = 4380 in this case. That is "Next sequence number" from Frame
92 minus "Acknowledgement number" from frame 91.
Is this an known issue or are I'm missing something?
Best Regards,
Stefaan
