THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

tcpd->rev->is_first_ack

  • retag add tags

Hi experts,

For the TCP Analysis, What is "tcpd->rev->is_first_ack"? In which scenarios will it be used?

/* WINDOW FULL
 * If we know the window scaling
 * and if this segment contains data and goes all the way to the
 * edge of the advertised window
 * then we mark it as WINDOW FULL
 * SYN/RST/FIN packets are never WINDOW FULL
 */
if( seglen>0
&&  tcpd->rev->win_scale!=-1
&&  (seq+seglen)==(tcpd->rev->tcp_analyze_seq_info->lastack+(tcpd->rev->window<<(tcpd->rev->is_first_ack?0:(tcpd->rev->win_scale==-2?0:tcpd->rev->win_scale))))
&&  (flags&(TH_SYN|TH_FIN|TH_RST))==0 ) {
    if(!tcpd->ta) {
        tcp_analyze_get_acked_struct(pinfo->num, seq, ack, TRUE, tcpd);
    }
    tcpd->ta->flags|=TCP_A_WINDOW_FULL;
}

Regards, 7ACE

7ACE's avatar
40
7ACE
asked 2024-03-27 12:29:23 +0000, updated 2024-03-27 12:32:23 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

1

From the source (epan/dissectors/packet-tcp.c):

    /*
     * Remember if we have already seen at least one ACK,
     * then we can neutralize the Window Scale side-effect at the beginning (issue 14690)
     */

14690: First "TCP window full" not detected

I haven't seen anything to reuse in the conversations, so I suggest adding a boolean which will track the first ACK (see my merge request). In such rare case where the Window is full before a first ACK, this will neutralize this side-effect of window scaling which is not expected here. However the analysis is good and the GUI gives the right Calculated window size.

1450: TCP: First Full TCP Window is not detected

Chuckc's avatar
3k
Chuckc
answered 2024-03-29 00:35:25 +0000
edit flag offensive 0 remove flag delete link
more

Comments

https://gitlab.com/wireshark/wireshar...

TcpWindowFull.pcap,Is No.68(SYN/ACK) the “tcpd->rev->is_first_ack”?

7ACE's avatar 7ACE (2024-03-29 12:25:11 +0000) edit
more
  • delete

Just looking at the code and Expert Infos, I would say the flag is set on packet 67?

epan/dissectors/packet-tcp.c:

    if(tcph->th_flags & TH_SYN) {
        if(tcph->th_flags & TH_ACK) {
           expert_add_info_format(pinfo, tf_syn, &ei_tcp_connection_synack,
                                  "Connection establish acknowledge (SYN+ACK): server port %u", tcph->th_sport);
           /* Save the server port to help determine dissector used */
           tcpd->server_port = tcph->th_sport;
        }
        else {
           expert_add_info_format(pinfo, tf_syn, &ei_tcp_connection_syn,
                                  "Connection establish request (SYN): server port %u", tcph->th_dport);
           /* Save the server port to help determine dissector used */
           tcpd->server_port = tcph->th_dport;
           tcpd->ts_mru_syn = pinfo->abs_ts;
        }
        /* Remember where the next segment will start. */
        if (tcp_desegment && tcp_reassemble_out_of_order && tcpd && !PINFO_FD_VISITED(pinfo)) {
            if (tcpd->fwd->maxnextseq == 0) {
                tcpd->fwd->maxnextseq = tcph->th_seq + 1;
            }
        }
        /* Initiliaze the is_first_ack */
        tcpd->fwd->is_first_ack = TRUE;
    }

67 TCP: Connection establish request (SYN): server port 80

68 TCP: Connection establish acknowledge (SYN+ACK): server port 80
Chuckc's avatar Chuckc (2024-03-29 12:54:14 +0000) edit
more
  • delete

tcpd->fwd?tcpd->rev?

7ACE's avatar 7ACE (2024-03-29 13:16:47 +0000) edit
more
  • delete

I'm in over my head here so maybe a comment over on the issue or merge request listed above will get one of the original developers to help.

It seems that fwd and rev are relative not absolute so maybe the direction has changed between the flag being set and when it is checked?
epan/dissectors/packet-tcp.h:

    /* These pointers are set by get_tcp_conversation_data()
     * fwd point in the same direction as the current packet
     * and rev in the reverse direction
     */
    tcp_flow_t  *fwd;
    tcp_flow_t  *rev;
Chuckc's avatar Chuckc (2024-03-29 15:05:26 +0000) edit
more
  • delete

Thank you so much for the clear explanation!

7ACE's avatar 7ACE (2024-03-30 06:43:41 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer