THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

iRTT Field Missing in Capture

  • retag add tags

We have two Ethernet boards, one board perfectly accomplishes an FTP file transfer, the second does not and it eventually times out early on, mishandling the SYN SYN:ACK phase. We analyzed the two Wireshark captures and noticed that the good capture has the iRTT time stamp field included while the bad one does not. What is the significance of not seeing that iRTT in the bad capture? Is that indicative to why it fails the xfer? Would really appreciate a reply.. Thanks

I would like to attach the screen shot of the two captures but don't see Attach option here..

Don's avatar
1
Don
asked 2019-09-26 18:53:42 +0000, updated 2019-09-26 19:00:51 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Put the captures on a public file share site and post the link in the question. That's how you can solve that.

Jaap's avatar Jaap (2019-09-26 18:59:44 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

mishandling the SYN SYN:ACK phase.

If by "mishandling" you mean that there is no full 3-way handshake, then it is logical that there is no iRTT being shown, as Wireshark calculates the iRTT based on the timings in the 3-way handshake. If this is the case, the problem is in the faulty 3-way handshake and the missing iRTT is just a symptom.

SYN-bit's avatar
18.5k
SYN-bit
answered 2019-09-26 20:36:15 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Hi, So it requires the SYN --> SYN:ACK --> ACK events to occur. We had assumed only the SYN --> SYN:ACK is required for the iRTT. Thanks for your reply and clarifying Don

Don's avatar Don (2019-09-26 22:09:34 +0000) edit
more
  • delete

Yes, Wireshark does need the final ack for the calculation, because it does not know if the capture was made near the client, near the server or somewhere in between. So the best approximation of the iRTT is the time difference between the SYN packet and the final ACK packet (regardless of where on the path the capture was made).

If this answered your question, could you click on the checkmark so it is marked as "answered"?

SYN-bit's avatar SYN-bit (2019-09-27 07:43:52 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer