First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

release 3.6.8 missing SEQ/ACK analysis

I must be missing something, since I upgraded from 3.4.6 to 3.6.8 I no longer see the SEQ/ACK analysis section under TCP. I checked by loading the same capture in both versions. I have also unchecked - Do not call subdissectors for error packets - in both versions. In 3.4.6 I can use the filter TCP.Analysis.duplicate_ack and I find 34127 dup acks. I have looked at the actual dup packets to validate these are real dups and they are. When I load the same capture in 3.6.8 the same filter finds 0 packets and the SEQ/ACK analysis section is missing. Help!

JohnH's avatar
1
JohnH
asked 2022-09-12 19:50:19 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Is it possible that Analyze Sequence Numbers is not enabled/checked in your preferences for TCP?

Chuckc's avatar Chuckc (2022-09-12 21:45:56 +0000) edit
more
  • delete

Analyze Sequence Numbers is enabled, here are the enabled TCP preferences;

  • Show TCP Summary in protocol tree,
  • Allow sub dissector to reassemble TCP streams
  • Analyze TCP sequence numbers
  • Track number of bytes in flight
  • Calculate conversation timestamps
  • Try heuristic sub-directors first
  • TCP Experimental Options with a Magic Number

All the rest are disabled

JohnH's avatar JohnH (2022-09-13 11:52:10 +0000) edit
more
  • delete

There is a sample capture on Wiki page for TCP.
Open it in 3.6.8 and see if working. If not then a config issue. If it does work then something in your capture and would be easier to move forward if you can share the capture file.

A display filter of tcp.analysis will show the packets with a [SEQ/ACK analysis] section.

Chuckc's avatar Chuckc (2022-09-13 15:10:34 +0000) edit
more
  • delete

I have loaded the sample capture and it appears to work. How do I share the capture file I am working with?

JohnH's avatar JohnH (2022-09-13 15:22:45 +0000) edit
more
  • delete

Put it on a public file share (Google, Onedrive, Dropbox, ...) then update the question with a link to it.

Chuckc's avatar Chuckc (2022-09-13 15:30:23 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0
Snapshot length: 64
[Packet size limited during capture: TCP truncated]

This is an open issue: 18138: Incomplete captured TCP packets not registered as conversations.

Chuckc's avatar
3k
Chuckc
answered 2022-09-13 15:59:50 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks for looking into this, at least I'm not crazy. Any estimate on when or which release it might be fixed in?

JohnH's avatar JohnH (2022-09-13 16:01:26 +0000) edit
more
  • delete

Can you increase the snap length when capturing? See notes here:
https://gitlab.com/wireshark/wireshar...
You could also add a comment to the open issue showing your interest in moving forward with the Draft commit.

Chuckc's avatar Chuckc (2022-09-13 16:06:58 +0000) edit
more
  • delete

What snap length would you recommend. Most of my customers want to use a minimum snap length to minimize exposure to their customer data. I will use this in the future, in this case I was going over some old captures to put together problem determination training when I discovered the issue. I should have red the notes first, it looks like 94 bytes would work reliably.

JohnH's avatar JohnH (2022-09-13 16:16:49 +0000) edit
more
  • delete

Definitely test before you have to rely on that for a solution.

Chuckc's avatar Chuckc (2022-09-13 17:02:19 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer