TCP Analysis: Update the spurious retransmission check.

The spurious retransmission check operates on the last-seen
acknowledgment in the reverse direction. Adjust the analysis logic so
that it is checked independently of the forward sequence number.

Update the documentation accordingly.

Change-Id: I3714f44398501a581f967c61e119fe95f90209b1
Reviewed-on: https://code.wireshark.org/review/21769
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>

2 files changed, 8 insertions, 2 deletions

diff --git a/docbook/release-notes.asciidoc b/docbook/release-notes.asciidoc
index 3886ecd235..f5e88a2b5c 100644
--- a/docbook/release-notes.asciidoc
+++ b/docbook/release-notes.asciidoc
@@ -29,6 +29,7 @@ used for troubleshooting, analysis, development and education.
 The following features are new (or have been significantly updated)
 since version 2.4.0:
  * Add color support for TShark with --color option (non-Windows only)
+* TCP Analysis will detect and flag more spurious retransmissions.
 
 //=== Removed Dissectors
 
diff --git a/docbook/wsug_src/WSUG_chapter_advanced.asciidoc b/docbook/wsug_src/WSUG_chapter_advanced.asciidoc
index c6b26978e9..16de26049b 100644
--- a/docbook/wsug_src/WSUG_chapter_advanced.asciidoc
+++ b/docbook/wsug_src/WSUG_chapter_advanced.asciidoc
@@ -348,7 +348,7 @@ feature via the ``Analyze TCP sequence numbers'' TCP dissector preference.
 image::wsug_graphics/ws-tcp-analysis.png[{screenshot-attrs}]
 
 TCP Analysis flags are added to the TCP protocol tree under ``SEQ/ACK
-analysis''. Each flag is described below. The terms ``next expected
+analysis''. Each flag is described below. Terms such as ``next expected
 sequence number'' and ``next expected acknowledgement number'' refer to
 the following'':
 
@@ -393,6 +393,7 @@ Set when all of the following are true:
 
 Set when all of the following are true:
 
+- This is not a keepalive packet.
 - In the forward direction, the segment size is greater than zero or the SYN or FIN is set.
 - The next expected sequence number is greater than the current sequence number.
 - We have more than two duplicate ACKs in the reverse direction.
@@ -433,6 +434,7 @@ Supersedes ``Dup ACK'' and ``ZeroWindowProbeAck''.
 
 Set when all of the following are true:
 
+- This is not a keepalive packet.
 - In the forward direction, the segment length is greater than zero or the SYN or FIN is set.
 - The next expected sequence number is greater than the current sequence number.
 - The next expected sequence number and the next sequence number differ.
@@ -459,7 +461,9 @@ Set when the current sequence number is greater than the next expected sequence
 Set when all of the following are true:
 
 - In the forward direction, the segment length is greater than zero or the SYN or FIN is set.
-- The next expected sequence number is greater than the current sequence number.
+- This is not a keepalive packet.
+- The segment length is greater than zero.
+- Data for this flow has been acknowledged. That is, the last-seen acknowledgement number has been set.
 - The next sequence number is less than or equal to the last-seen acknowledgement number.
 
 Supersedes ``Retransmission''.
@@ -470,6 +474,7 @@ Supersedes ``Retransmission''.
 
 Set when all of the following are true:
 
+- This is not a keepalive packet.
 - In the forward direction, the segment length is greater than zero or the SYN or FIN is set.
 - The next expected sequence number is greater than the current sequence number.