I'm using Wireshark 1.6.7 and 1.5.0, and I noticed an anomaly. After loading a capture file that consists of 300K+ packets, I use the Expert Info feature to check the file for retransmits, duplicate ACK's and other warnings or errors within a TCP stream. It shows no errors or warnings. Then, I use the TCP Stream Time sequence (Stevens♔) feature to generate a time sequence diagram. On my first captured file, I see a nice straight line starting from lower left and moving to upper right corner. Everything looks good. In my 2nd, 3rd, 4th files, I see a straight line at the top of the graph with NO sequence number scale on the left side of graph. Now here is the anomaly: If I skip to the bottom of the file or wait for some unknown period of time and then regenerate the time sequence (Stevens♔) graph for the same file, it actually turns out to be a line starting from the lower left and moving upward to the upper right...like I would expect it to be. Further, the Expert Info for these shows no errors and no warnings. Any ideas? ♔ Time-Sequence Graph (Stevens): a graph of TCP sequence numbers versus time. This helps us see if traffic is moving along without interruption, packet loss or long delays. Reference: TCP/IP Illustrated by W. Richard Stevens asked 15 May '12, 13:49 rascheri edited 15 May '12, 15:53 helloworld |
One Answer:
You need to keep in mind that the TCP Stream graphs are NOT bidirectional, so depending on what packet you had selected when opening a graph you'll see either the direction from client to server or vice versa. You can tell by looking at the window caption; it will always tell you from what IP to what IP the transfer is drawn. If you have a communication (like an FTP download) where one node only acknowledges and never sends anything else you'll see the horizontal line you mentioned. So try to select a packet WITH content (easy to find, just don't click at those 60 byte packets), and you'll see you always get a line that is not horizontal. In your case it it probably just a case of luck which direction the packets are full and which direction they're just ACK'ing. answered 15 May '12, 15:13 Jasper ♦♦ |
It seems that I can repeat this every time I open the file. I seem to have to wait for some unknown period of time. Sometimes when I jump to the bottom using <ctrl><home> and regenerate the time sequence (stevens) diagram it display the graph correctly. Other times I have to wait longer and retry. Oh, I'm doing all of this on Windows XP SP3.
This issue is resolved. Thanks for the helpful suggestions.
Just remember, when you are using the TCP Stream Time Sequence Graphing features. You should first select a packet that is coming from the client to the server. If you pick the packet which carries only the ACK then you will only see a straight line as indicated in the previous messages.
Thanks everyone. Rick
Rick, good to hear your feedback that the issue has been resolved. Could you accept the answer that made you resolve your issue by clicking on the check-mark next to it? That is the way this site works best (see the FAQ). I also converted your answer to a comment, as it was a comment and not a new answer to your question :-)
SYN-BIT, I did click on the thumbs up icon after I verified what Jasper reported was in fact true. He was the first to respond with the correct answer. I also just awarded points to him as well. Is there anything else I need to do?
If you want to accept an answer you can "activate" the round checkmark icon just below the thumbs up/down icons ;-)