From 01fe854fa00e780e2eb7f9b18a11a09ff0dc1c11 Mon Sep 17 00:00:00 2001 From: Gerald Combs Date: Fri, 26 May 2017 15:10:48 -0700 Subject: TCP Analysis: Update the spurious retransmission check. The spurious retransmission check operates on the last-seen acknowledgment in the reverse direction. Adjust the analysis logic so that it is checked independently of the forward sequence number. Update the documentation accordingly. Change-Id: I3714f44398501a581f967c61e119fe95f90209b1 Reviewed-on: https://code.wireshark.org/review/21769 Reviewed-by: Michael Mann Petri-Dish: Michael Mann Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman --- docbook/release-notes.asciidoc | 1 + docbook/wsug_src/WSUG_chapter_advanced.asciidoc | 9 +++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) (limited to 'docbook') diff --git a/docbook/release-notes.asciidoc b/docbook/release-notes.asciidoc index 3886ecd235..f5e88a2b5c 100644 --- a/docbook/release-notes.asciidoc +++ b/docbook/release-notes.asciidoc @@ -29,6 +29,7 @@ used for troubleshooting, analysis, development and education. The following features are new (or have been significantly updated) since version 2.4.0: * Add color support for TShark with --color option (non-Windows only) +* TCP Analysis will detect and flag more spurious retransmissions. //=== Removed Dissectors diff --git a/docbook/wsug_src/WSUG_chapter_advanced.asciidoc b/docbook/wsug_src/WSUG_chapter_advanced.asciidoc index c6b26978e9..16de26049b 100644 --- a/docbook/wsug_src/WSUG_chapter_advanced.asciidoc +++ b/docbook/wsug_src/WSUG_chapter_advanced.asciidoc @@ -348,7 +348,7 @@ feature via the ``Analyze TCP sequence numbers'' TCP dissector preference. image::wsug_graphics/ws-tcp-analysis.png[{screenshot-attrs}] TCP Analysis flags are added to the TCP protocol tree under ``SEQ/ACK -analysis''. Each flag is described below. The terms ``next expected +analysis''. Each flag is described below. Terms such as ``next expected sequence number'' and ``next expected acknowledgement number'' refer to the following'': @@ -393,6 +393,7 @@ Set when all of the following are true: Set when all of the following are true: +- This is not a keepalive packet. - In the forward direction, the segment size is greater than zero or the SYN or FIN is set. - The next expected sequence number is greater than the current sequence number. - We have more than two duplicate ACKs in the reverse direction. @@ -433,6 +434,7 @@ Supersedes ``Dup ACK'' and ``ZeroWindowProbeAck''. Set when all of the following are true: +- This is not a keepalive packet. - In the forward direction, the segment length is greater than zero or the SYN or FIN is set. - The next expected sequence number is greater than the current sequence number. - The next expected sequence number and the next sequence number differ. @@ -459,7 +461,9 @@ Set when the current sequence number is greater than the next expected sequence Set when all of the following are true: - In the forward direction, the segment length is greater than zero or the SYN or FIN is set. -- The next expected sequence number is greater than the current sequence number. +- This is not a keepalive packet. +- The segment length is greater than zero. +- Data for this flow has been acknowledged. That is, the last-seen acknowledgement number has been set. - The next sequence number is less than or equal to the last-seen acknowledgement number. Supersedes ``Retransmission''. @@ -470,6 +474,7 @@ Supersedes ``Retransmission''. Set when all of the following are true: +- This is not a keepalive packet. - In the forward direction, the segment length is greater than zero or the SYN or FIN is set. - The next expected sequence number is greater than the current sequence number. -- cgit v1.2.1