This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Possible to display/calculate missing data when SACK is used?

0

Is it possible to easily calculate and display e.g. a column that optimally shows the number of bytes of missing data whenever missing data is indicated using SACK?

E.g. a server indicates missing data, by sending a packet with ACK 1000 and SLE 1100 and SRE 1400. The original data sent by the client was 1400 bytes.

So, in essence I would like to have a column that for the particular packet with SACK used, displays 100 bytes - i.e. the missing amount of traffic.

If a column is not possible, is this type of analysis possible using scripting or similar?

Reason being is that I see all data being received at the server, but for some reason, the server does not acknowledge it. I'm trying to find the smoking gun and my idea is that for whatever reason there might be a pattern where e.g. the server always "misses" 100 bytes of data.

asked 07 Nov '14, 00:17

NJL's gravatar image

NJL
21448
accept rate: 0%


One Answer:

1

I don't think Wireshark can do this because you can't have columns that calculate stuff for you on the fly. You could try to add a custom column containing the SACK edges and export the packet list to CSV (via the file menu). Then import that file into Excel and have it calculate the missing pieces. I'm not sure though if this can be easily done, because you might have more than one SACK block in the options.

answered 07 Nov '14, 12:23

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks for the suggestion, but you were right, it's not something that's easily done unfortunately - at least not to be able to cover the full details as you suggest yourself.

(07 Nov '14, 14:06) NJL