Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Ethereal-users: RE: [Ethereal-users] Where is the TCP Sequence Number Analysis fe ature in 0.9.6

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Morgan, Chip E." <Chip.Morgan@xxxxxxxxxx>
Date: Thu, 22 Aug 2002 08:05:16 -0400
Thanks guys! It's particularly refreshing to get this kind of response this
quick. I'm not (yet) comfortable building Ethereal on NT, but I'll look at
it on Solaris today!

-----Original Message-----
From: Ronnie Sahlberg [mailto:sahlberg@xxxxxxxxxxxxxxxx]
Sent: Wednesday, August 21, 2002 8:42 PM
To: Morgan, Chip E.; 'Joerg Mayer'
Cc: ethereal-users@xxxxxxxxxxxx
Subject: Re: [Ethereal-users] Where is the TCP Sequence Number Analysis
feature in 0.9.6?


From: "Morgan, Chip E."
Sent: Thursday, August 22, 2002 6:11 AM
Subject: RE: [Ethereal-users] Where is the TCP Sequence Number Analysis
feature in 0.9.6?


> Jörg,
>    Cool...
>
>    It worked on a 4600 packet capture that I've been looking at. However,
> I'm fumbling around trying to isolate the "analysis flagged" packets.
> There's no handy way (that I know of) to search the contents of the Info
> field from the GUI, and I didn't see any tcp seq# analysis specific filter
> primitives. I chose to run Tethereal on the capture file and grep the
> output, which did work, but is less than optimal.

I just checked in a patch to CVS for TCP that adds a new filtered subtree,
search for "tcp.analysis.flags" and you will get all segments which have at
least one
of the bits set.

To search for individual bits you can still use
"tcp.analysis.retransmission"
"tpc.analysis.lost_segment"
"tcp.analysis.ack_lost_segment"

and (which is not really an error condition)
"tcp.analysis.keep_alive"

Two other fields exist as well
"tpc.analysis.acks_frame" which is not too useful
"tcp.analysis.ack_rtt" which is useful


Perhaps the two lost_segment and ack_lost_segment should be collapsed into a
single
lost_segment flag.  They indicate the same thing but just two different ways
the condition was
detected.