Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] packet-tcp.c (expert severity level of zero window)

From: Sake Blok <sake@xxxxxxxxxx>
Date: Sun, 6 Apr 2008 21:13:39 +0200
On Sun, Apr 06, 2008 at 07:51:20PM +0200, Ulf Lamping wrote:
> Michael T??xen schrieb:
> > Hi Sake,
> >
> > I agree with Ulf here. Announcing a zero window is a valid
> > behaviour of a receiver. It just means that flow control
> > has kicked in.
>   
> I've already changed the TCP expert infos as I've suggested in my 
> previous mail. Now let the edit wars begin ... ;-)

I have no intention to create a war... now that we have met in person ;-)

Regarding the level of warning, that might be ok. Although "warning"
sounds a little to mild for a full tcp window. That's why I used "error".
If "error" is reserved for WS internal stuff, then I used it wrongly.


> > For me an error is something that has to be changed. For
> > the this is not true in this situation.
> >
> > However, I think it is important to use these levels
> > in a consistent way between different dissectors, so
> > I would like to know what others think how an error
> > should be defined. I'm planning to add expert info to
> > the SCTP dissector
>
> I would see errors only for very serious stuff (more WS internal), like 
> a malformed packet, dissector bug or something like that.

Might it not be better to have an "WS internal" expert infos "group"
for these messages?

> I just wanted to keep the number of severity levels short, so they are 
> easier to apply for developers and understand for users. If there's need 
> for an error level beside the warn/note/chat for a normal dissector 
> output, it might be an idea to add a fatal (or internal) error for the 
> stuff above and use error for normal dissectors as well. However, I'm 
> not a friend of this as it will complicate things.

If we can define a reasonably clear description on the levels, it should
be fine to keep the current 3 levels for dissectors and the error
for internal stuff. However, it might turn out that we could use one
or more extra severities to keep things logical.

 
> When I started to add expert infos to the TCP dissector (I wouldn't call 
> myself a TCP expert), I've just used the level I thought was right. As 
> I've tried out many capture files, my first guess turned out to be wrong 
> in many cases, so I've just tweaked the levels so it looked better. I'm 
> still not sure about the levels for all of the messages, e.g. what's the 
> right severity for a "fast retransmission"?
> 
> I see all this still as a work in progress, especially when new 
> dissectors will add expert stuff this might bring up new questions ...

Let's see wether all the messages can be categoried by severity in a 
consistent matter :-)


Regarding the enhancement request for a configurable severity framework.
I'm not in favor for it. If the severities are well chosen and consistently
categoried, it will only spread doubt about what a message really means.
It is the knowledge of the environment that makes the interpretation.


Cheers,
    Sake