7.5. TCP Analysis

By default, Wireshark’s TCP dissector tracks the state of each TCP session and provides additional information when problems or potential problems are detected. Analysis is done once for each TCP packet when a capture file is first opened. Packets are processed in the order in which they appear in the packet list. You can enable or disable this feature via the “Analyze TCP sequence numbers” TCP dissector preference.

Figure 7.5. “TCP Analysis” packet detail items

wsug_graphics/ws-tcp-analysis.png

TCP Analysis flags are added to the TCP protocol tree under “SEQ/ACK analysis”. Each flag is described below. Terms such as “next expected sequence number” and “next expected acknowledgement number” refer to the following'':

Next expected sequence number
The last-seen sequence number plus segment length. Set when there are no analysis flags and and for zero window probes. This is initially zero and calculated based on the previous packet in the same TCP flow. Note that this may not be the same as the tcp.nxtseq protocol field.
Next expected acknowledgement number
The last-seen sequence number for segments. Set when there are no analysis flags and for zero window probes.
Last-seen acknowledgment number
Always set. Note that this is not the same as the next expected acknowledgment number.
Last-seen acknowledgment number
Always updated for each packet. Note that this is not the same as the next expected acknowledgment number.

TCP ACKed unseen segment

Set when the expected next acknowledgement number is set for the reverse direction and it’s less than the current acknowledgement number.

TCP Dup ACK <frame>#<acknowledgement number>

Set when all of the following are true:

TCP Fast Retransmission

Set when all of the following are true:

Supersedes “Out-Of-Order”, “Spurious Retransmission”, and “Retransmission”.

TCP Keep-Alive

Set when the segment size is zero or one, the current sequence number is one byte less than the next expected sequence number, and any of SYN, FIN, or RST are set.

Supersedes “Fast Retransmission”, “Out-Of-Order”, “Spurious Retransmission”, and “Retransmission”.

TCP Keep-Alive ACK

Set when all of the following are true:

Supersedes “Dup ACK” and “ZeroWindowProbeAck”.

TCP Out-Of-Order

Set when all of the following are true:

Supersedes “Spurious Retransmission” and “Retransmission”.

TCP Port numbers reused

Set when the SYN flag is set (not SYN+ACK), we have an existing conversation using the same addresses and ports, and the sequencue number is different than the existing conversation’s initial sequence number.

TCP Previous segment not captured

Set when the current sequence number is greater than the next expected sequence number.

TCP Spurious Retransmission

Checks for a retransmission based on analysis data in the reverse direction. Set when all of the following are true:

Supersedes “Retransmission”.

TCP Retransmission

Set when all of the following are true:

TCP Window Full

Set when the segment size is non-zero, we know the window size in the reverse direction, and our segment size exceeds the window size in the reverse direction.

TCP Window Update

Set when the all of the following are true:

TCP ZeroWindow

Set when the window size is zero and non of SYN, FIN, or RST are set.

TCP ZeroWindowProbe

Set when the sequence number is equal to the next expected sequence number, the segment size is one, and last-seen window size in the reverse direction was zero.

TCP ZeroWindowProbeAck

Set when the all of the following are true:

Supersedes “TCP Dup ACK”.