Bytes in Flight calculations

Question

How does Wireshark calculate Bytes in Flight (BIF)? Do the BIF also consider the SACK left-edge and right-edge values? I have an 19MB file that I would like to share, but do not see a way to attach the file to this post. Here is a general formula that I am using to determine BIF assuming with SACK:

(Sequence # of sender) + (TCP Length of sender) - (SACK right edge of receiver) = Value #1
(SACK left edge of receiver) - (Last TCP ACK # from receiver) = Value #2

BIF = (Value #1) + (Value #2)

Are the above equations correct? Please correct any of the above equations as needed.

Accepted Answer

At the point you mention, there are 9 packets missing, forming a data gap between #264 and #270. It would appear that these really were missing from the flow, because SACKs #283-#293 report that missing data. #308-#316 are the TCP retransmissions that fill that gap.

According to the bug report, this is why Wireshark doesn't count them in the BIF calculation.

There are also 5 packets missing between #274 and #275. However, these are selectively acknowledged, very soon after, by those same SACKs mentioned above.

This capture is a treasure trove of interesting behaviour.

There are also many examples of:

Packets retransmitted at the radio level, where we see the original in the trace (eg, #303 and #317 ; #352-#360 are repeats of #308-#316).
This happens for ACKs too (eg, #2225-#2233, then #2236-#2244).
Packets retransmitted at the radio level, where we DON'T see the original in the trace (eg, #332-#336).
Packets unnecessarily retransmitted at the TCP/IP level, where we see the original in the trace and they are ACKed. These also trigger Duplicate SACKs (eg, #352-#360 are retransmissions of #308-#316, #395 is a D-SACK for #360).
Packets seen in the trace but not seen at the TCP/IP level by the receiver (eg, #343 is selectively not-ACKed but the radio retransmission, #396, does get ACKed. Likewise for #346/#397 and #347/#398).
Transmit Window "inflation", where the sender outputs more "packets in flight" in response to many SACKs.

I guess that your capturing WiFi device is closer to the access point than your real receiver (since we see packets that the receiver doesn't - at both the radio and TCP/IP level). Your capture device also drops some real packets that the receiver does see.

Answer 2

As I understand the code, Wireshark sums up the TCP length of all unACKed frames by walking throuh a list of those unACKed frames (ual).

File: packet-tcp.c

    /* how many bytes of data are there in flight after this frame
     * was sent
     */
    ual=tcpd->fwd->segments;
    if (tcp_track_bytes_in_flight && seglen!=0 && ual && tcpd->fwd->valid_bif) {
        guint32 first_seq, last_seq, in_flight;
    first_seq = ual-&gt;seq - tcpd-&gt;fwd-&gt;base_seq;
    last_seq = ual-&gt;nextseq - tcpd-&gt;fwd-&gt;base_seq;
    while (ual) {
        if ((ual-&gt;nextseq-tcpd-&gt;fwd-&gt;base_seq)&gt;last_seq) {
            last_seq = ual-&gt;nextseq-tcpd-&gt;fwd-&gt;base_seq;
        }
        if ((ual-&gt;seq-tcpd-&gt;fwd-&gt;base_seq)&lt;first_seq) {=&quot;&quot; first_seq=&quot;ual-&quot;&gt;seq-tcpd-&gt;fwd-&gt;base_seq;
        }
        ual = ual-&gt;next;
    }
    in_flight = last_seq-first_seq;

    if (in_flight&gt;0 &amp;&amp; in_flight&lt;2000000000) {
        if(!tcpd-&gt;ta) {
            tcp_analyze_get_acked_struct(pinfo-&gt;fd-&gt;num, seq, ack, TRUE, tcpd);
        }
        tcpd-&gt;ta-&gt;bytes_in_flight = in_flight;
    }
}

SLE and SRE are not considered. You can see it pretty good in a SACK sample capture with packet loss.

http://packetlife.net/captures/TCP_SACK.cap

Add a column for bytes in flight to see it (Frames #30 - #39).

Regards
Kurt