First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

TCP Analysis questions

Hi experts,

For the TCP Analysis , I have the following questions :

https://www.wireshark.org/docs/wsug_h...

Next expected sequence number

The last-seen sequence number plus segment length. Set when there are no analysis flags and for zero window probes. This is initially zero and calculated based on the previous packet in the same TCP flow. Note that this may not be the same as the tcp.nxtseq protocol field.

1.What's the difference between "Next expected sequence number" and "Next sequence number"?

Next sequence number : tcp.nxtseq = tcp.seq + tcp.len

Next expected sequence number : ?

2.What's the meaning of the "Set when there are no analysis flags and for zero window probes." ?

3.What's the meaning of the "Note that this may not be the same as the tcp.nxtseq protocol field."?In what situation would this happen?

Next expected acknowledgement number

The last-seen sequence number for segments. Set when there are no analysis flags and for zero window probes.

4.Next expected acknowledgement number : tcp.ack ?

Last-seen acknowledgment number

Always set. Note that this is not the same as the next expected acknowledgment number.

Last-seen acknowledgment number

Always updated for each packet. Note that this is not the same as the next expected acknowledgment number.

5.What's the difference between the two?

Regards, 7ACE

7ACE's avatar
40
7ACE
asked 2022-02-24 09:02:17 +0000, updated 2022-02-27 01:47:31 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Can anyone help me to take a look those questions?Thanks & Best Regards.

7ACE's avatar 7ACE (2022-02-27 01:53:38 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

The text for that section of the manual comes from the comments in packet-tcp.c.

Working through an example might help to explain where the text comes:

TCP Window Update

Set when the all of the following are true:

The segment size is zero.

The window size is non-zero and not equal to the last-seen window size.

The sequence number is equal to the next expected sequence number.

The acknowledgement number is equal to the last-seen acknowledgement number.

None of SYN, FIN, or RST are set.

    /* WINDOW UPDATE
     * A window update is a 0 byte segment with the same SEQ/ACK numbers as
     * the previous seen segment and with a new window value
     */
    if( seglen==0
    &&  window
    &&  window!=tcpd->fwd->window
    &&  seq==tcpd->fwd->tcp_analyze_seq_info->nextseq
    &&  ack==tcpd->fwd->tcp_analyze_seq_info->lastack
    &&  (flags&(TH_SYN|TH_FIN|TH_RST))==0 ) {
        if(!tcpd->ta) {
            tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
        }
        tcpd->ta->flags|=TCP_A_WINDOW_UPDATE;
    }

How tcpd->fwd->tcp_analyze_seq_info->nextseq gets set is based on state of the TCP stream.
(It might get set in other spots since there are a lot of pointers and structures in the code)

tcpd->fwd->tcp_analyze_seq_info->nextseq=nextseq;

tcpd->fwd->tcp_analyze_seq_info->nextseq = tcpd->fwd->tcp_analyze_seq_info->maxseqtobeacked;
Chuckc's avatar
3k
Chuckc
answered 2022-03-08 17:09:15 +0000, updated 2022-03-08 17:09:55 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you so much for the clear explanation!

7ACE's avatar 7ACE (2022-03-14 00:32:52 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer