Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] TCP: what is an out-of-order segment

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Jeff Morriss <jeff.morriss@xxxxxxxxxxx>
Date: Thu, 10 May 2007 15:01:27 +0800
I just sent you the capture file privately (I was on vacation for a while there...).
But what you're saying still doesn't help me understand what is an out of order packet. To my (simple) mind anything that is either a retransmission or where a previous segment was not seen (hole in the sequence) can be considered out of order.
Bug 1453 ("Out Of Order TCP-Segments are recognized as Previous Segment lost") shows confusion about what should be out of order: 


a.) when an out of order frame (f2) arrives it is erroneously recognized as
"previous segment lost",
Anyway, I don't care too much since I don't work that closely with TCP regularly. 

ronnie sahlberg wrote:

this is a tricky area


for your particular example maybe the heuristics could be changed to
detect that eventhough the left edge of the segment went backward and
thus could potentially be either a retransmission/fastretransmission
or outoforder segment  that since it also had a right edge that
covered the entire previous segment that in that case it must be a
retransmission and not a simple outoforder segment.


if you can send me a capture with it ill try to implement this kind of
heuristics
and also make sure it doesnt break any of my other examples of
"tricky" packet sequences.


since we have so much less information available to us compared to the
tcp endpoints themself   this is a very tricky area.



On 4/27/07, Jeff Morriss <jeff.morriss@xxxxxxxxxxx> wrote:

Hi list,

The other day I was looking at a TCP sequence that went like:

time: sequence:
0 1-10
2 11-20
2.1 1-20

The last frame was a retransmission of the first frame but the TCP
implementation in question (XP) decided to stick the data from the 2nd
frame in there, too.

Wireshark called the 3rd frame an out of order packet which confused me
a bit.  The test for an out of order packet is the same as that for a
retransmission plus an additional test to see if that frame arrived
within 3ms of of the highest sequence number (with a note that 3ms is
arbitrary).

This seems an odd definition of "out of order" but I haven't really
figured out how to define it.  What makes the most sense to me so far is
"if it looks like a retransmission but we've already seen an ack for it"
though that doesn't seem quite right either (just because we saw the ack
doesn't mean the intended recipient did).

Any ideas?

-J
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev


_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube