Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] TCP Analysis Flags do NOT show DuplicateACK's & Retransmis

From: "Feeny, Michael \(GWM-CAI\)" <michael_feeny@xxxxxx>
Date: Wed, 25 Jun 2008 14:59:49 -0400
Sake,

Thx for the QUICK response - this is an awesome forum!

The answer to one of your questions is:  *this instance of wireshark on
this particular system*

E.g., If I'm looking at the file where dupe ack's/retransmissions are
NOT reported, and then, within the same instance of Wireshark, I do an
Open of the other file, I now *do* see dupe ack's & retransmissions
being reported in that second file.

Regarding "tcp analysis" being turned off...  If I go to
Edit/Preferences/Protocols/TCP, the following options are CHECKED:

- Show TCP summary in protocol tree
- Validate the TCP checksum if possible
- Allow subdissector to reassemble TCP streams
- Analyze TCP sequence numbers

The rest of the options are UNCHECKED.  Is there anything else I should
check?

I now know not to send screenshots :-)

If a small trace file is desired, would I simply add it as an attachment
to my email msg?

Thx again for the help!

Michael


Michael Feeny
Global Wealth Management Technology
Network and Security Integration
Office: 609-274-2761
Mobile:  484-995-1745
AOL IM: feenyman99
Pager:  888-merril0


-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Wednesday, June 25, 2008 2:03 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] TCP Analysis Flags do NOT show
DuplicateACK's & Retransmissions

On Wed, Jun 25, 2008 at 12:57:53PM -0400, Feeny, Michael (GWM-CAI)
wrote:
>  
> What is puzzling me is that Wireshark is NOT reporting the Dupe ACK's
or
> Retransmissions.  *I* am able to see them (28 packets in a row from
one
> side, with no data, and with identical sequence & ack numbers;  then,
a
> packet from the other side with the sequence number matching the 28
> ACK's, which packet had been sent previously by this server).  Not
only
> do these diagnoses not appear in the "Info" column of the Packet List,
> but, if I enter a Display Filter of "tcp.analysis.flags", not a single
> packet is displayed.

That sound like tcp analysis is turned off, could you have a look at
your TCP protocol preferences?

> This same version of Wireshark *is* displaying dupe ACK's and
> retransmissions, etc., for a *different* trace file, so it appears
that
> Wireshark's non-reporting of these conditions is related to this
> particular trace file.

The same *version* or *this instance of wireshark on this particular
system*?

> I've included a Wireshark screenshot, in case it's helpful.  I can
strip
> down the PCAP to a small file, and send it, if that is also desired.

Please don't send screenshots to the list, they are big and provide much
less information that a small pcap file.

Cheers,
    Sake
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users
--------------------------------------------------------

This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing.
--------------------------------------------------------