I'm using Wireshark 1.6.7 and 1.5.0, and I noticed an anomaly. After loading a capture file that consists of 300K+ packets, I use the Expert Info feature to check the file for retransmits, duplicate ACK's and other warnings or errors within a TCP stream. It shows no errors or warnings. Then, I use the TCP Stream Time sequence (Stevens♔) feature to generate a time sequence diagram. On my first captured file, I see a nice straight line starting from lower left and moving to upper right corner. Everything looks good. In my 2nd, 3rd, 4th files, I see a straight line at the top of the graph with NO sequence number scale on the left side of graph.
Now here is the anomaly: If I skip to the bottom of the file or wait for some unknown period of time and then regenerate the time sequence (Stevens♔) graph for the same file, it actually turns out to be a line starting from the lower left and moving upward to the upper right...like I would expect it to be. Further, the Expert Info for these shows no errors and no warnings. Any ideas?
♔ Time-Sequence Graph (Stevens): a graph of TCP sequence numbers versus time. This helps us see if traffic is moving along without interruption, packet loss or long delays. Reference: TCP/IP Illustrated by W. Richard Stevens
asked 15 May '12, 13:49
edited 15 May '12, 15:53
You need to keep in mind that the TCP Stream graphs are NOT bidirectional, so depending on what packet you had selected when opening a graph you'll see either the direction from client to server or vice versa. You can tell by looking at the window caption; it will always tell you from what IP to what IP the transfer is drawn.
If you have a communication (like an FTP download) where one node only acknowledges and never sends anything else you'll see the horizontal line you mentioned.
So try to select a packet WITH content (easy to find, just don't click at those 60 byte packets), and you'll see you always get a line that is not horizontal. In your case it it probably just a case of luck which direction the packets are full and which direction they're just ACK'ing.
answered 15 May '12, 15:13