First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

To "Analyze TCP sequence numbers" or not to analyze?

  • retag add tags

I've been trobueshooting something I've been seeing for a few months. A wireshark capture I've been anaylyzing has some TCP out of order, Dup Ack's, and previous segment not captured. Application works fine but not sure why I get these errors. When I place the client and server on the same segment and right next to each other I still get the same errors. I was told to uncheck the Analyze TCP sequence numbers and then all the errors disappeared from the pcap file. They informed Wireshark has its own way of looking at the sequence numbers instead of using the raw sequence numbers from the pcap. If I look at every wireshark capture file and have this option unchecked will wireshark disregard any errors it might potentially see. Does wireshark have any issues analyzing a pcap with its own sequence numbers? Any input is greatly appreciated?

ejeangilles's avatar
3
ejeangilles
asked 2020-02-15 23:37:16 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

The whole point of TCP's sequence mechanism is to ensure that the application receives a stream of data in the correct order, regardless of what has gone wrong in the transmission of the TCP segments.

As long as the receiving TCP stack can reassemble the segments within it's constraints of buffer memory capacity and timeouts and retries, then the data will eventually be delivered to the application, which is none the wiser, apart from maybe thinking the data is a bit slow to come in which, may in turn, affect the application performance.

Examining the traffic with Wireshark with the sequence analysis enabled shows the true picture though and may or may not need some network fault finding to reduce the issue to an acceptable level.

grahamb's avatar
23.8k
grahamb
answered 2020-02-16 14:10:27 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

"A wireshark capture I've been anaylyzing has some TCP out of order, Dup Ack's, and previous segment not captured. Application works fine but not sure why I get these errors."

You get these errors because some packets arrive out of order and because there is packet loss. The application works ok because the out-of-order packets are re-ordered at the receiving system and then passed to the application in the correct order, and because the missing packets are retransmitted.

Wireshark doesn't have "its own sequence numbers," but by default it will display relative sequence numbers. If the sequence number of the first packet in the capture file from a host on a particular TCP stream is 'x', Wireshark will subtract 'x' from the sequence number of every packet from that host, so that it appears that the sequence numbers started at zero. The raw (absolute) sequence numbers are still there, and the latest version of Wireshark displays the raw sequence numbers even when relative sequence numbers are enabled. In any case, toggling the display between relative and raw sequence numbers will not change what messages Wireshark displays.

"I was told to uncheck the Analyze TCP sequence numbers and then all the errors disappeared from the pcap file."

Turning off "Analyze TCP sequence numbers" doesn't cause errors to go away; it only causes the error messages to go away. If a packet was out of order, it's still out of order. Wireshark is just no longer labeling it as out of order. So if you turn this off, you won't know about errors or problems during the communication unless you manually analyze all the sequence numbers yourself--a monumental task.

Jim Aragon's avatar
7.5k
Jim Aragon
answered 2020-02-16 15:36:43 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks for that great info. It makes sense now that I think about it.

ejeangilles's avatar ejeangilles (2020-02-21 05:45:46 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer