Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-users: Re: [Ethereal-users] Where is the TCP Sequence Number Analysis feature in 0.9.6?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Ronnie Sahlberg" <sahlberg@xxxxxxxxxxxxxxxx>
Date: Thu, 22 Aug 2002 10:41:51 +1000
From: "Morgan, Chip E."
Sent: Thursday, August 22, 2002 6:11 AM
Subject: RE: [Ethereal-users] Where is the TCP Sequence Number Analysis
feature in 0.9.6?


> Jörg,
>    Cool...
>
>    It worked on a 4600 packet capture that I've been looking at. However,
> I'm fumbling around trying to isolate the "analysis flagged" packets.
> There's no handy way (that I know of) to search the contents of the Info
> field from the GUI, and I didn't see any tcp seq# analysis specific filter
> primitives. I chose to run Tethereal on the capture file and grep the
> output, which did work, but is less than optimal.

I just checked in a patch to CVS for TCP that adds a new filtered subtree,
search for "tcp.analysis.flags" and you will get all segments which have at
least one
of the bits set.

To search for individual bits you can still use
"tcp.analysis.retransmission"
"tpc.analysis.lost_segment"
"tcp.analysis.ack_lost_segment"

and (which is not really an error condition)
"tcp.analysis.keep_alive"

Two other fields exist as well
"tpc.analysis.acks_frame" which is not too useful
"tcp.analysis.ack_rtt" which is useful


Perhaps the two lost_segment and ack_lost_segment should be collapsed into a
single
lost_segment flag.  They indicate the same thing but just two different ways
the condition was
detected.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube